From e2e454b00fcd380261d4a1d5dc6e1bd45b953a72 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E9=82=B9=E6=99=AF=E7=AB=8B?= <zoujingli@qq.com>
Date: Thu, 13 May 2021 17:47:10 +0800
Subject: [PATCH] =?UTF-8?q?=E4=BF=AE=E6=94=B9=E6=96=87=E4=BB=B6=E4=B8=8A?=
 =?UTF-8?q?=E4=BC=A0=E5=AE=89=E5=85=A8=E5=A4=84=E7=90=86?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 app/admin/controller/api/Upload.php | 27 ++++++++++++++++++++++++++-
 1 file changed, 26 insertions(+), 1 deletion(-)

diff --git a/app/admin/controller/api/Upload.php b/app/admin/controller/api/Upload.php
index 547d37b5f..02c1f8bef 100644
--- a/app/admin/controller/api/Upload.php
+++ b/app/admin/controller/api/Upload.php
@@ -137,9 +137,12 @@ class Upload extends Controller
                 $file->move(dirname($distname), basename($distname));
                 $info = $local->info($this->name, $this->safe, $original);
                 if (in_array($extension, ['jpg', 'gif', 'png', 'bmp', 'jpeg', 'wbmp'])) {
+                    if ($this->imgNotSafe($distname) && $local->del($this->name)) {
+                        return json(['uploaded' => false, 'error' => ['message' => '图片未通过安全检查！']]);
+                    }
                     [$width, $height] = getimagesize($distname);
                     if (($width < 1 || $height < 1) && $local->del($this->name)) {
-                        return json(['uploaded' => false, 'error' => ['message' => '图片读取尺寸失败！']]);
+                        return json(['uploaded' => false, 'error' => ['message' => '读取图片的尺寸失败！']]);
                     }
                 }
             } else {
@@ -203,4 +206,26 @@ class Upload extends Controller
         }
     }
 
+    /**
+     * 检查图片是否安全
+     * @param string $filename
+     * @return boolean
+     */
+    private function imgNotSafe(string $filename): bool
+    {
+        $source = fopen($filename, 'rb');
+        if (($size = filesize($filename)) > 512) {
+            $hexs = bin2hex(fread($source, 512));
+            fseek($source, $size - 512);
+            $hexs .= bin2hex(fread($source, 512));
+        } else {
+            $hexs = bin2hex(fread($source, $size));
+        }
+        if (is_resource($source)) fclose($source);
+        $bins = hex2bin($hexs);
+        /* 匹配十六进制中的 <% ( ) %> 或 <? ( ) ?> 或 <script | /script> */
+        foreach (['<?', '<%', '<script'] as $key) if (stripos($bins, $key) !== false) return true;
+        return preg_match("/(3c25.*?28.*?29.*?253e)|(3c3f.*?28.*?29.*?3f3e)|(3C534352495054)|(2F5343524950543E)|(3C736372697074)|(2F7363726970743E)/is", $hexs);
+    }
+
 }