CVE-2022-44289: Code logic error causes file upload getshell · Issue #2772 · top-think/framework

Code logic error causes file upload getshell
Verify version:Thinkphp5.1.41/Thinkphp5.0.24
Install:composer create-project topthink/think tp 5.xxx

test version:Thinkphp5.1.41
If the user directly uses the move method of thinkphp
like this：Add an upload controller like the official documentation:https://www.kancloud.cn/manual/thinkphp5_1/354121

<?php namespace app\index\controller;

class Upload { public function index(){ // 获取表单上传文件 例如上传了001.jpg $file = request()->file(‘image’); // 移动到框架网站目录/uploads/ 目录下 $info = $file->move( ‘./uploads’); if($info){ // 成功上传后 获取上传信息 // 输出 jpg echo $info->getExtension(); // 输出 20160820/42a79759f284b767dfcb2a0197904287.jpg echo $info->getSaveName(); // 输出 42a79759f284b767dfcb2a0197904287.jpg echo $info->getFilename(); }else{ // 上传失败获取错误信息 echo $file->getError(); } }

}

Will cause the file with the suffix php to be uploaded directly
Because in thinkphp\library\think\File.php line 272 it is allowed

public function checkImg() { $extension = strtolower(pathinfo($this->getInfo(‘name’), PATHINFO_EXTENSION));

    /\* 对图像文件进行严格检测 \*/
    if (in\_array($extension, \['gif', 'jpg', 'jpeg', 'bmp', 'png', 'swf'\]) && !in\_array($this\->getImageType($this\->filename), \[1, 2, 3, 4, 6, 13\])) {
        $this\->error = 'illegal image files';
        return false;
    }

    return true;
}

I think the problem is that true and false are written in reverse. And !in_array getImageType

The logic should be?

public function checkImg() { $extension = strtolower(pathinfo($this->getInfo(‘name’), PATHINFO_EXTENSION));

    /\* 对图像文件进行严格检测 \*/
    if (in\_array($extension, \['gif', 'jpg', 'jpeg', 'bmp', 'png', 'swf'\]) && in\_array($this\->getImageType($this\->filename), \[1, 2, 3, 4, 6, 13\])) {
        return true;
    }

    return false;
}