上传漏洞问题
<script language="C#" runat="server">--------------------编程问答-------------------- 接上面
// Messages
private string NoFileMessage = "No file selected";
private string UploadSuccessMessage = "Uploaded Sucess";
private string NoImagesMessage = "No Images";
private string NoFolderSpecifiedMessage = "No folder";
private string NoFileToDeleteMessage = "No file to delete";
private string InvalidFileTypeMessage = "Invalid file type";
private string[] AcceptedFileTypes = new string[] {"jpg","jpeg","jpe","gif","bmp","png"};
// Configuration
private bool UploadIsEnabled = true;
private bool DeleteIsEnabled = true;
private string DefaultImageFolder = "images";
private void Page_Load(object sender, System.EventArgs e) {
AdminCs.CheckLoginState();
string isframe = "" + Request["frame"];
if (isframe != "") {
MainPage.Visible = true;
iframePanel.Visible = false;
string rif = "" + Request["rif"];
string cif = "" + Request["cif"];
if (cif != "" && rif != "") {
RootImagesFolder.Value = rif;
CurrentImagesFolder.Value = cif;
} else {
RootImagesFolder.Value = DefaultImageFolder;
CurrentImagesFolder.Value = DefaultImageFolder;
}
UploadPanel.Visible = UploadIsEnabled;
DeleteImage.Visible = DeleteIsEnabled;
string FileErrorMessage = "";
string ValidationString = ".*(";
//[\.jpg]|[\.jpeg]|[\.jpe]|[\.gif]|[\.bmp]|[\.png])$"
for (int i=0;i<AcceptedFileTypes.Length; i++) {
ValidationString += "[\\." + AcceptedFileTypes[i] + "]";
if (i < (AcceptedFileTypes.Length-1)) ValidationString += "|";
FileErrorMessage += AcceptedFileTypes[i];
if (i < (AcceptedFileTypes.Length-1)) FileErrorMessage += ", ";
}
FileValidator.ValidationExpression = ValidationString+")$";
FileValidator.ErrorMessage=FileErrorMessage;
if (!IsPostBack) {
DisplayImages();
}
} else {
}
}
public void UploadImage_OnClick(object sender, EventArgs e) {
if (Page.IsValid) {
if (CurrentImagesFolder.Value != "") {
if (UploadFile.PostedFile.FileName.Trim() != "") {
if (IsValidFileType(UploadFile.PostedFile.FileName)) {
try {
string UploadFileName = "";
string UploadFileDestination = "";
UploadFileName = UploadFile.PostedFile.FileName;
UploadFileName = UploadFileName.Substring(UploadFileName.LastIndexOf("\\")+1);
UploadFileDestination = HttpContext.Current.Request.PhysicalApplicationPath;
UploadFileDestination += CurrentImagesFolder.Value;
UploadFileDestination += "\\";
UploadFile.PostedFile.SaveAs(UploadFileDestination + UploadFileName);
ResultsMessage.Text = UploadSuccessMessage;
} catch(Exception ex) {
//ResultsMessage.Text = "Your file could not be uploaded: " + ex.Message;
ResultsMessage.Text = "There was an error.";
}
} else {
ResultsMessage.Text = InvalidFileTypeMessage;
}
} else {
ResultsMessage.Text = NoFileMessage;
}
} else {
ResultsMessage.Text = NoFolderSpecifiedMessage;
}
} else {
ResultsMessage.Text = InvalidFileTypeMessage;
}
DisplayImages();
}
public void DeleteImage_OnClick(object sender, EventArgs e) {
if (FileToDelete.Value != "" && FileToDelete.Value != "undefined") {
try {
string AppPath = HttpContext.Current.Request.PhysicalApplicationPath;
System.IO.File.Delete(AppPath + CurrentImagesFolder.Value + "\\" + FileToDelete.Value);
ResultsMessage.Text = "Deleted: " + FileToDelete.Value;
} catch(Exception ex) {
ResultsMessage.Text = "There was an error.";
}
} else {
ResultsMessage.Text = NoFileToDeleteMessage;
}
DisplayImages();
}
private bool IsValidFileType(string FileName) {
string ext = FileName.Substring(FileName.LastIndexOf(".")+1,FileName.Length-FileName.LastIndexOf(".")-1);
for (int i=0; i<AcceptedFileTypes.Length; i++) {
if (ext == AcceptedFileTypes[i]) {
return true;
}
}
return false;
}
private string[] ReturnFilesArray() {
if (CurrentImagesFolder.Value != "") {
try {
string AppPath = HttpContext.Current.Request.PhysicalApplicationPath;
string ImageFolderPath = AppPath + CurrentImagesFolder.Value;
string[] FilesArray = System.IO.Directory.GetFiles(ImageFolderPath,"*");
return FilesArray;
} catch {
return null;
}
} else {
return null;
}
}
private string[] ReturnDirectoriesArray() {
if (CurrentImagesFolder.Value != "") {
try {
string AppPath = HttpContext.Current.Request.PhysicalApplicationPath;
string CurrentFolderPath = AppPath + CurrentImagesFolder.Value;
string[] DirectoriesArray = System.IO.Directory.GetDirectories(CurrentFolderPath,"*");
return DirectoriesArray ;
} catch {
return null;
}
} else {
return null;
}
}
public void DisplayImages() {
string[] FilesArray = ReturnFilesArray();
string[] DirectoriesArray = ReturnDirectoriesArray();
string AppPath = HttpContext.Current.Request.PhysicalApplicationPath;
string AppUrl;
//Get the application's URL
if (Request.ApplicationPath == "/")
AppUrl = Request.ApplicationPath;
else
AppUrl = Request.ApplicationPath + "/";
GalleryPanel.Controls.Clear();
if ( (FilesArray == null || FilesArray.Length == 0) && (DirectoriesArray == null || DirectoriesArray.Length == 0) ) {
gallerymessage.Text = NoImagesMessage + ": " + RootImagesFolder.Value;
} else {
string ImageFileName = "";
string ImageFileLocation = "";
int thumbWidth = 94;
int thumbHeight = 94;
if (CurrentImagesFolder.Value != RootImagesFolder.Value) {
System.Web.UI.HtmlControls.HtmlImage myHtmlImage = new System.Web.UI.HtmlControls.HtmlImage();
myHtmlImage.Src = AppUrl + "images/ftb/folder.up.gif";
myHtmlImage.Attributes["unselectable"]="on";
myHtmlImage.Attributes["align"]="absmiddle";
myHtmlImage.Attributes["vspace"]="36";
string ParentFolder = CurrentImagesFolder.Value.Substring(0,CurrentImagesFolder.Value.LastIndexOf("\\"));
System.Web.UI.WebControls.Panel myImageHolder = new System.Web.UI.WebControls.Panel();
myImageHolder.CssClass = "imageholder";
myImageHolder.Attributes["unselectable"]="on";
myImageHolder.Attributes["onclick"]="divClick(this,'');";
myImageHolder.Attributes["ondblclick"]="gotoFolder('" + RootImagesFolder.Value + "','" + ParentFolder.Replace("\\","\\\\") + "');";
myImageHolder.Controls.Add(myHtmlImage);
System.Web.UI.WebControls.Panel myMainHolder = new System.Web.UI.WebControls.Panel();
myMainHolder.CssClass = "imagespacer";
myMainHolder.Controls.Add(myImageHolder);
System.Web.UI.WebControls.Panel myTitleHolder = new System.Web.UI.WebControls.Panel();
myTitleHolder.CssClass = "titleHolder";
myTitleHolder.Controls.Add(new LiteralControl("Up"));
myMainHolder.Controls.Add(myTitleHolder);
GalleryPanel.Controls.Add(myMainHolder);
}
foreach (string _Directory in DirectoriesArray) {
try {
string DirectoryName = _Directory.ToString();
System.Web.UI.HtmlControls.HtmlImage myHtmlImage = new System.Web.UI.HtmlControls.HtmlImage();
myHtmlImage.Src = AppUrl + "images/ftb/folder.big.gif";
myHtmlImage.Attributes["unselectable"]="on";
myHtmlImage.Attributes["align"]="absmiddle";
myHtmlImage.Attributes["vspace"]="29";
System.Web.UI.WebControls.Panel myImageHolder = new System.Web.UI.WebControls.Panel();
myImageHolder.CssClass = "imageholder";
myImageHolder.Attributes["unselectable"]="on";
myImageHolder.Attributes["onclick"]="divClick(this);";
myImageHolder.Attributes["ondblclick"]="gotoFolder('" + RootImagesFolder.Value + "','" + DirectoryName.Replace(AppPath,"").Replace("\\","\\\\") + "');";
myImageHolder.Controls.Add(myHtmlImage);
System.Web.UI.WebControls.Panel myMainHolder = new System.Web.UI.WebControls.Panel();
myMainHolder.CssClass = "imagespacer";
myMainHolder.Controls.Add(myImageHolder);
System.Web.UI.WebControls.Panel myTitleHolder = new System.Web.UI.WebControls.Panel();
myTitleHolder.CssClass = "titleHolder";
myTitleHolder.Controls.Add(new LiteralControl(DirectoryName.Replace(AppPath + CurrentImagesFolder.Value + "\\","")));
myMainHolder.Controls.Add(myTitleHolder);
GalleryPanel.Controls.Add(myMainHolder);
} catch {
// nothing for error
}
}
foreach (string ImageFile in FilesArray) {
try {
ImageFileName = ImageFile.ToString();
ImageFileName = ImageFileName.Substring(ImageFileName.LastIndexOf("\\")+1);
ImageFileLocation = AppUrl;
ImageFileLocation = ImageFileLocation.Substring(ImageFileLocation.LastIndexOf("\\")+1);
//galleryfilelocation += "/";
ImageFileLocation += CurrentImagesFolder.Value;
ImageFileLocation += "/";
ImageFileLocation += ImageFileName;
System.Web.UI.HtmlControls.HtmlImage myHtmlImage = new System.Web.UI.HtmlControls.HtmlImage();
myHtmlImage.Src = ImageFileLocation;
System.Drawing.Image myImage = System.Drawing.Image.FromFile(ImageFile.ToString());
myHtmlImage.Attributes["unselectable"]="on";
//myHtmlImage.border=0;
// landscape image
if (myImage.Width > myImage.Height) {
if (myImage.Width > thumbWidth) {
myHtmlImage.Width = thumbWidth;
myHtmlImage.Height = Convert.ToInt32(myImage.Height * thumbWidth/myImage.Width);
} else {
myHtmlImage.Width = myImage.Width;
myHtmlImage.Height = myImage.Height;
}
// portrait image
} else {
if (myImage.Height > thumbHeight) {
myHtmlImage.Height = thumbHeight;
myHtmlImage.Width = Convert.ToInt32(myImage.Width * thumbHeight/myImage.Height);
} else {
myHtmlImage.Width = myImage.Width;
myHtmlImage.Height = myImage.Height;
}
}
if (myHtmlImage.Height < thumbHeight) {
myHtmlImage.Attributes["vspace"] = Convert.ToInt32((thumbHeight/2)-(myHtmlImage.Height/2)).ToString();
}
System.Web.UI.WebControls.Panel myImageHolder = new System.Web.UI.WebControls.Panel();
myImageHolder.CssClass = "imageholder";
myImageHolder.Attributes["onclick"]="divClick(this,'" + ImageFileName + "');";
myImageHolder.Attributes["ondblclick"]="returnImage('" + ImageFileLocation.Replace("\\","/") + "','" + myImage.Width.ToString() + "','" + myImage.Height.ToString() + "');";
myImageHolder.Controls.Add(myHtmlImage);
System.Web.UI.WebControls.Panel myMainHolder = new System.Web.UI.WebControls.Panel();
myMainHolder.CssClass = "imagespacer";
myMainHolder.Controls.Add(myImageHolder);
System.Web.UI.WebControls.Panel myTitleHolder = new System.Web.UI.WebControls.Panel();
myTitleHolder.CssClass = "titleHolder";
myTitleHolder.Controls.Add(new LiteralControl(ImageFileName + "<BR>" + myImage.Width.ToString() + "x" + myImage.Height.ToString()));
myMainHolder.Controls.Add(myTitleHolder);
//GalleryPanel.Controls.Add(myImage);
GalleryPanel.Controls.Add(myMainHolder);
myImage.Dispose();
} catch {
}
}
gallerymessage.Text = "";
}
}
</script>
请问这段代码怎么防止上传 .ASP .ASPX .PHP 一切可执行的文件????????????????? --------------------编程问答-------------------- content --------------------编程问答-------------------- 帮顶 --------------------编程问答-------------------- 学习,帮顶 --------------------编程问答-------------------- 根据文件类型及保存后的文件类型控制 --------------------编程问答-------------------- 别说啊 给写一下可以吗 ????????????????????????????????????????????????? --------------------编程问答-------------------- 我晕 ....给你顶吧 --------------------编程问答-------------------- ... --------------------编程问答-------------------- ding le
--------------------编程问答-------------------- 用contenttype判断文件格式,判断出来之后就知道咋办了吧 --------------------编程问答-------------------- 看在大家这么热情和一个初学者的份上能不能帮改一段 帮忙写一下好吗?也算造福我们这些初学者了 --------------------编程问答-------------------- 顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶请求高人高人高人高人 --------------------编程问答-------------------- 在顶顶在顶顶在顶顶在顶顶在顶顶在顶顶在顶顶在顶顶在顶顶在顶顶在顶顶在顶顶在顶顶在顶顶在顶顶在顶顶在顶顶在顶顶在顶顶在顶顶在顶顶在顶顶在顶顶 --------------------编程问答-------------------- fileupload.PostedFile.ContentType
contentType.Equals("image/jpeg") || contentType.Equals("image/pjpeg")
http://www.w3school.com.cn/media/media_mimeref.asp
--------------------编程问答-------------------- 比我还懒! --------------------编程问答-------------------- 初学者迷茫中你这个写完加在那啊 ?????????????????????????????????????????????????????
contentType.Equals("image/jpeg") || contentType.Equals("image/pjpeg")
而且这个我也没有看明白啊 --------------------编程问答-------------------- 你的代码那么长,我也懒得看。。
你的这 UploadFile.PostedFile 中的ContentType 属性就是文件类型,也就是对应的后缀名呀,你自己对照
http://www.w3school.com.cn/media/media_mimeref.asp
这个再去判断。。OK? --------------------编程问答-------------------- UploadFileName = UploadFile.PostedFile.FileName;
if (UploadFile.PostedFile.FileName("asp") > 0 || UploadFile.PostedFile.FileName("aspx") > 0) //判断文件名中是否有asp或aspx
{
Response.Write("<script language='javascript'>alert('支持格式:|jpg|gif|bmp|');</script>");
}
UploadFileName = UploadFileName.Substring(UploadFileName.LastIndexOf("\\")+1);
这样???????????????????
--------------------编程问答-------------------- 请高人指点!~~~~~~~~~~~~~~~~~~~~~ --------------------编程问答-------------------- 顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶 --------------------编程问答-------------------- 顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶 --------------------编程问答-------------------- 继续顶 求教高人 --------------------编程问答-------------------- 有人吗 高人在吗 ?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? --------------------编程问答-------------------- 顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶 --------------------编程问答-------------------- 顶顶顶顶顶顶 --------------------编程问答-------------------- 晕,学习下~ --------------------编程问答-------------------- 用contenttype判断文件格式之后,再判断后缀名,两个缺一不可 --------------------编程问答-------------------- 顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶v --------------------编程问答-------------------- 不回答了 帮顶 jf --------------------编程问答-------------------- 学习了! --------------------编程问答-------------------- 顶了楼主,我想我的方法也就是靠文件后缀名来判断了 --------------------编程问答-------------------- 关注 --------------------编程问答-------------------- 学习ing...
补充:.NET技术 , ASP.NET
