firstgarden/firstgarden-web-gnu
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Activity

[KVE-2021-0172,0329,0330] 그누보드 다중 취약점 수정

Browse Source
This commit is contained in:
thisgun
2021-03-16 11:09:42 +09:00
parent 086a1738d9
commit 0139d91ac9
3 changed files with 14 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
adm/qa_config_update.php
View File

@ -61,9 +61,17 @@ if( function_exists('filter_input_include_path') ){
$qa_include_tail = filter_input_include_path($qa_include_tail); $qa_include_tail = filter_input_include_path($qa_include_tail);
} }
// 분류에 & 나 = 는 사용이 불가하므로 2바이트로 바꾼다.
$src_char = array('&', '=');
$dst_char = array('', '〓');
$qa_category = str_replace($src_char, $dst_char, $_POST['qa_category']);
//https://github.com/gnuboard/gnuboard5/commit/f5f4925d4eb28ba1af728e1065fc2bdd9ce1da58 에 따른 조치
$qa_category = preg_replace("/[\<\>\'\"\\\'\\\"\%\=\(\)\/\^\*]/", "", $qa_category);
$sql = " update {$g5['qa_config_table']} $sql = " update {$g5['qa_config_table']}
set qa_title = '{$_POST['qa_title']}', set qa_title = '{$_POST['qa_title']}',
qa_category = '{$_POST['qa_category']}', qa_category = '{$qa_category}',
qa_skin = '{$_POST['qa_skin']}', qa_skin = '{$_POST['qa_skin']}',
qa_mobile_skin = '{$_POST['qa_mobile_skin']}', qa_mobile_skin = '{$_POST['qa_mobile_skin']}',
qa_use_email = '{$_POST['qa_use_email']}', qa_use_email = '{$_POST['qa_use_email']}',

4
bbs/qadelete.php
View File

@ -45,7 +45,7 @@ for($i=0; $i<$count; $i++) {
// 첨부파일 삭제 // 첨부파일 삭제
for($k=1; $k<=2; $k++) { for($k=1; $k<=2; $k++) {
@unlink(G5_DATA_PATH.'/qa/'.$row['qa_file'.$k]); @unlink(G5_DATA_PATH.'/qa/'.clean_relative_paths($row['qa_file'.$k]));
// 썸네일삭제 // 썸네일삭제
if(preg_match("/\.({$config['cf_image_extension']})$/i", $row['qa_file'.$k])) { if(preg_match("/\.({$config['cf_image_extension']})$/i", $row['qa_file'.$k])) {
delete_qa_thumbnail($row['qa_file'.$k]); delete_qa_thumbnail($row['qa_file'.$k]);
@ -60,7 +60,7 @@ for($i=0; $i<$count; $i++) {
$row2 = sql_fetch(" select qa_content, qa_file1, qa_file2 from {$g5['qa_content_table']} where qa_parent = '$qa_id' "); $row2 = sql_fetch(" select qa_content, qa_file1, qa_file2 from {$g5['qa_content_table']} where qa_parent = '$qa_id' ");
// 첨부파일 삭제 // 첨부파일 삭제
for($k=1; $k<=2; $k++) { for($k=1; $k<=2; $k++) {
@unlink(G5_DATA_PATH.'/qa/'.$row2['qa_file'.$k]); @unlink(G5_DATA_PATH.'/qa/'.clean_relative_paths($row2['qa_file'.$k]));
// 썸네일삭제 // 썸네일삭제
if(preg_match("/\.({$config['cf_image_extension']})$/i", $row2['qa_file'.$k])) { if(preg_match("/\.({$config['cf_image_extension']})$/i", $row2['qa_file'.$k])) {
delete_qa_thumbnail($row2['qa_file'.$k]); delete_qa_thumbnail($row2['qa_file'.$k]);

6
bbs/qawrite_update.php
View File

@ -157,7 +157,7 @@ for ($i=1; $i<=$upload_count; $i++) {
// 삭제에 체크가 되어있다면 파일을 삭제합니다. // 삭제에 체크가 되어있다면 파일을 삭제합니다.
if (isset($_POST['bf_file_del'][$i]) && $_POST['bf_file_del'][$i]) { if (isset($_POST['bf_file_del'][$i]) && $_POST['bf_file_del'][$i]) {
$upload[$i]['del_check'] = true; $upload[$i]['del_check'] = true;
@unlink(G5_DATA_PATH.'/qa/'.$write['qa_file'.$i]); @unlink(G5_DATA_PATH.'/qa/'.clean_relative_paths($write['qa_file'.$i]));
// 썸네일삭제 // 썸네일삭제
if(preg_match("/\.({$config['cf_image_extension']})$/i", $write['qa_file'.$i])) { if(preg_match("/\.({$config['cf_image_extension']})$/i", $write['qa_file'.$i])) {
delete_qa_thumbnail($write['qa_file'.$i]); delete_qa_thumbnail($write['qa_file'.$i]);
@ -204,7 +204,7 @@ for ($i=1; $i<=$upload_count; $i++) {
if ($w == 'u') { if ($w == 'u') {
// 존재하는 파일이 있다면 삭제합니다. // 존재하는 파일이 있다면 삭제합니다.
@unlink(G5_DATA_PATH.'/qa/'.$write['qa_file'.$i]); @unlink(G5_DATA_PATH.'/qa/'.clean_relative_paths($write['qa_file'.$i]));
// 이미지파일이면 썸네일삭제 // 이미지파일이면 썸네일삭제
if(preg_match("/\.({$config['cf_image_extension']})$/i", $write['qa_file'.$i])) { if(preg_match("/\.({$config['cf_image_extension']})$/i", $write['qa_file'.$i])) {
delete_qa_thumbnail($row['qa_file'.$i]); delete_qa_thumbnail($row['qa_file'.$i]);
@ -244,7 +244,7 @@ if($w == '' || $w == 'a' || $w == 'r') {
$qa_num = $write['qa_num']; $qa_num = $write['qa_num'];
$qa_parent = $write['qa_id']; $qa_parent = $write['qa_id'];
$qa_related = $write['qa_related']; $qa_related = $write['qa_related'];
$qa_category = $write['qa_category']; $qa_category = addslashes($write['qa_category']);
$qa_type = 1; $qa_type = 1;
$qa_status = 1; $qa_status = 1;
} }