From 798951f4c61cf19d38cfb34c40ef7734c40f5b08 Mon Sep 17 00:00:00 2001
From: thisgun <thisgun@naver.com>
Date: Mon, 22 Oct 2018 14:33:02 +0900
Subject: [PATCH 1/2] =?UTF-8?q?=EC=9D=B4=EB=AF=B8=EC=A7=80=20=EB=B3=B4?=
 =?UTF-8?q?=EA=B8=B0=20=EC=9E=98=EB=AA=BB=EB=90=9C=20=EC=A0=95=EA=B7=9C?=
 =?UTF-8?q?=EC=8B=9D=20=EC=BD=94=EB=93=9C=20=EC=88=98=EC=A0=95?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 bbs/view_image.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/bbs/view_image.php b/bbs/view_image.php
index bc7f8e63e..196df9f4c 100644
--- a/bbs/view_image.php
+++ b/bbs/view_image.php
@@ -4,12 +4,12 @@ include_once('./_common.php');
 $g5['title'] = '이미지 크게보기';
 include_once(G5_PATH.'/head.sub.php');
 
-$filename = preg_replace('/[^A-Za-z0-9 _ .-\/]/', '', $_GET['fn']);
+$filename = preg_replace('/[^A-Za-z0-9 _ .\-\/]/', '', $_GET['fn']);
 
 $extension = pathinfo($filename, PATHINFO_EXTENSION);
 
 if ( ! preg_match('/(jpg|jpeg|png|gif|bmp)$/i', $extension) ){
-    alert_close('확장자가 이미지인것만 요청할수 있습니다.');
+    alert_close('이미지 확장자가 아닙니다.');
 }
 
 if(strpos($filename, 'data/editor')) {

From c82c937fbb3f092b52c895561eec73499a739389 Mon Sep 17 00:00:00 2001
From: thisgun <thisgun@naver.com>
Date: Fri, 26 Oct 2018 11:54:53 +0900
Subject: [PATCH 2/2] =?UTF-8?q?get=5Freal=5Fclient=5Fip=20=ED=95=A8?=
 =?UTF-8?q?=EC=88=98=EC=97=90=20=ED=95=84=ED=84=B0=EB=A7=81=20=EC=BD=94?=
 =?UTF-8?q?=EB=93=9C=20=EC=B6=94=EA=B0=80?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 lib/common.lib.php | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/lib/common.lib.php b/lib/common.lib.php
index 65f555a0d..c12ff17e3 100644
--- a/lib/common.lib.php
+++ b/lib/common.lib.php
@@ -3423,10 +3423,13 @@ function is_use_email_certify(){
 
 function get_real_client_ip(){
 
-    if(isset($_SERVER['HTTP_X_FORWARDED_FOR']))
-        return $_SERVER['HTTP_X_FORWARDED_FOR'];
+    $real_ip = $_SERVER['REMOTE_ADDR'];
 
-    return $_SERVER['REMOTE_ADDR'];
+    if(isset($_SERVER['HTTP_X_FORWARDED_FOR']) && preg_match('/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\z/', $_SERVER['HTTP_X_FORWARDED_FOR']) ){
+        $real_ip = $_SERVER['HTTP_X_FORWARDED_FOR'];
+    }
+
+    return preg_replace('/[^0-9.]/', '', $real_ip);
 }
 
 function get_call_func_cache($func, $args=array()){