标签 PHP SECURITY CALENDAR 2017 下的文章

由PHP SECURITY CALENDAR 2017引发的思考总结

0x01 起因

Day 1 - Wish List

Can you spot the vulnerability?

class Challenge {
  const UPLOAD_DIRECTORY = './solutions/';
  private $file;
  private $whitelist;

  public function __construct($file) {
    $this->file = $file;
    $this->whitelist = range(1, 24);
  }

  public function __destruct() {
    if (in_array($this->file['name'], $this->whitelist)) {
      move_uploaded_file(
        $this->file['tmp_name'],
        self::UPLOAD_DIRECTORY . $this->file['name']
      );
    }
  }
}

$challenge = new Challenge($_FILES['solution']);

这里的关键问题在in_array()函数,可以先看看In_array()的函数定义:

- 阅读剩余部分 -