检测上传文件是否含有非法代码

找到include/upload_config.asp
把Class FileInfo到end class那段替换为:



Code:

Class FileInfo
  dim FormName,FileName,FilePath,FileSize,FileStart
  Private Sub Class_Initialize
    FileName = ""
    FilePath = ""
    FileSize = 0
    FileStart= 0
    FormName = ""
  End Sub
  Public Function byte2asc(inbyte)
dim ThisCharCode,tmpreturn,NextCharCode,tmpvar
tmpreturn = ""
For tmpvar = 1 To LenB(inbyte)
ThisCharCode = AscB(MidB(inbyte,tmpvar,1))
If ThisCharCode < &H80 Then
tmpreturn = tmpreturn & Chr(ThisCharCode)
Else
NextCharCode = AscB(MidB(inbyte,tmpvar+1,1))
tmpreturn = tmpreturn & Chr (CLng(ThisCharCode) * &H100 + CInt(NextCharCode))
tmpvar = tmpvar + 1
End If
Next
byte2asc = tmpreturn
  End Function


  Public function SaveAs(FullPath)
    dim dr,ErrorChar,i,ComStr,strArray,strText
    SaveAs=1
    if trim(fullpath)="" or FileSize=0 or FileStart=0 or FileName="" then exit function
    if FileStart=0 or right(fullpath,1)="/" then exit function
    
     ComStr="cookie|.getfolder|.createfolder|.deletefolder|.createdirectory|.deletedirectory"
     ComStr=ComStr&"|.saveas|wscript.shell|script.encode|folderfath|session|script" '禁止字符
     strArray=split(ComStr,"|")
     strText=LCase(byte2asc(FileData))
     for i=0 to ubound(strArray)
     if instr(strText,strArray(i))<>0 then
response.write("您上传的文件中包含不安全的代码,抱歉!<a href='javascript:history.go(-1)'>  ←返回</a>")
response.end
'Exit function
     end if
     next

    set dr=CreateObject("Adodb.Stream")
    dr.Mode=3
    dr.Type=1
    dr.Open
    upfile_classes_Stream.position=FileStart-1
    upfile_classes_Stream.copyto dr,FileSize
    dr.SaveToFile FullPath,2
    dr.Close
    set dr=nothing
    SaveAs=0
  end function
  
  Public Function FileData
upfile_classes_Stream.Position = FileStart
FileData = upfile_classes_Stream.Read (FileSize)
  End Function

End Class

文章来自: 本站原创
引用通告: 查看所有引用 | 我要引用此文章
Tags:
相关日志: