这是一个创建于 3277 天前的主题,其中的信息可能已经有所发展或是发生改变。
不懂就要问
$filename_full = 'cache'.$filename;
$filename_full = './cache1'.$filename;
$filename_full = './cache1/'.$filename;
$filename_full = 'cache'.$filename;
$filename_full = './cache1'.$filename;
$filename_full = './cache1/'.$filename;
第 1 条附言 · 2015-05-09 13:43:31 +08:00
那么问题来了,我是在找黑吗??怎么防止呢?判断下$_GET['url'];是不是好点
<?php
$target = $_GET['url'];
$filename = basename($target);
$tupian = './cache/'.$filename;
$kzm = explode(".",$filename);
$tupian_md5 = $tupian.'.txt';
if (file_exists($tupian_md5) ) {
if (count(file($tupian_md5)) == '1')
{
$md5file = md5_file($tupian);
file_put_contents($tupian_md5,PHP_EOL.$md5file,FILE_APPEND);
$content = file_get_contents($tupian);
}
else if (count(file($tupian_md5)) == '2' && substr_count(file_get_contents($tupian_md5),mb_substr(file_get_contents($tupian_md5),0,32)) == 2)
{
$content = file_get_contents($tupian);
}
else if (count(file($tupian_md5)) == '2' && substr_count(file_get_contents($tupian_md5),mb_substr(file_get_contents($tupian_md5),0,32)) != 2)
{
@unlink($tupian);
@unlink($tupian_md5);
$content = file_get_contents($target);
}
else
{
$content = file_get_contents($tupian);
}
}
else {
$md5file_t = md5_file($target);
file_put_contents($tupian_md5,$md5file_t);
//如果该文件并不存在,则读取其内容并保存在本地以供将来调用
$content = file_get_contents($target);
$fp = fopen($tupian, 'w+');
fwrite($fp, $content);
fclose($fp);
}
header('Content-Type: image/'.end($kzm).'');
echo $content;
?>
<?php
$target = $_GET['url'];
$filename = basename($target);
$tupian = './cache/'.$filename;
$kzm = explode(".",$filename);
$tupian_md5 = $tupian.'.txt';
if (file_exists($tupian_md5) ) {
if (count(file($tupian_md5)) == '1')
{
$md5file = md5_file($tupian);
file_put_contents($tupian_md5,PHP_EOL.$md5file,FILE_APPEND);
$content = file_get_contents($tupian);
}
else if (count(file($tupian_md5)) == '2' && substr_count(file_get_contents($tupian_md5),mb_substr(file_get_contents($tupian_md5),0,32)) == 2)
{
$content = file_get_contents($tupian);
}
else if (count(file($tupian_md5)) == '2' && substr_count(file_get_contents($tupian_md5),mb_substr(file_get_contents($tupian_md5),0,32)) != 2)
{
@unlink($tupian);
@unlink($tupian_md5);
$content = file_get_contents($target);
}
else
{
$content = file_get_contents($tupian);
}
}
else {
$md5file_t = md5_file($target);
file_put_contents($tupian_md5,$md5file_t);
//如果该文件并不存在,则读取其内容并保存在本地以供将来调用
$content = file_get_contents($target);
$fp = fopen($tupian, 'w+');
fwrite($fp, $content);
fclose($fp);
}
header('Content-Type: image/'.end($kzm).'');
echo $content;
?>
 |
1
Livid MOD 1 和 2 是一样的,就是单纯的字符串连接。
3 的话,是访问 cache 子目录下的文件。 |
 |
2
Septembers 2015-05-09 08:38:42 +08:00
这种写法存在安全问题
see http://zone.wooyun.org/content/2196 |
|
3
Septembers 2015-05-09 08:40:41 +08:00
这种写法存在潜在安全问题
|
 |
4
whatisnew 2015-05-09 08:42:13 +08:00
没看懂。。。
|
 |
5
Tink 2015-05-09 08:44:11 +08:00 via iPhone
一二都是当前目录下的cacheXXXXXX,第三个是cache目录下的XXXXXXX
|
 |
6
bdbai 2015-05-09 09:25:42 +08:00 via iPhone
如果$filename有..然后你又做删除操作的话要小心了
|
 |
7
elvba 2015-05-09 09:34:30 +08:00 via Android
楼主再看看这两个,能看出是什么意思么?
$filename_full = '/cache1/'.$filename; $filename_full = '../cache1/'.$filename; |
 |
8
YAFEIML OP |
 |
10
lilydjwg 2015-05-09 13:40:58 +08:00
PHP 没有连接文件路径的函数么?
|
|
11
YAFEIML OP |
 |
12
loveyu 2015-05-09 14:30:23 +08:00
一般我做下realpath 然后再检测下
|
 |
13
eastphoton 2015-05-09 21:31:54 +08:00
/filename 根目录
./filename 当前目录 ../filename 表示上一级目录 filename 当前目录 |
Select Language