From 251dfc26e8252138f9b579b78be62a12444b2323 Mon Sep 17 00:00:00 2001
From: thisgun <thisgun@naver.com>
Date: Tue, 14 Jun 2022 18:18:05 +0900
Subject: [PATCH] =?UTF-8?q?[KVE-2022-0137]=20=EA=B7=B8=EB=88=84=EB=B3=B4?=
 =?UTF-8?q?=EB=93=9C=20XSS,=20SQL=20Injection=20=EC=B7=A8=EC=95=BD?=
 =?UTF-8?q?=EC=A0=90=20=EC=88=98=EC=A0=95?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 adm/shop_admin/admin.shop.lib.php | 2 +-
 adm/shop_admin/itemsupply.php     | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/adm/shop_admin/admin.shop.lib.php b/adm/shop_admin/admin.shop.lib.php
index 02225e029..4aa2ba405 100644
--- a/adm/shop_admin/admin.shop.lib.php
+++ b/adm/shop_admin/admin.shop.lib.php
@@ -72,7 +72,7 @@ function order_update_delivery($od_id, $mb_id, $change_status, $delivery)
     if($change_status != '배송')
         return;
 
-    $sql = " update {$g5['g5_shop_order_table']} set od_delivery_company = '{$delivery['delivery_company']}', od_invoice = '{$delivery['invoice']}', od_invoice_time = '{$delivery['invoice_time']}' where od_id = '$od_id' and od_status = '준비' ";
+    $sql = " update {$g5['g5_shop_order_table']} set od_delivery_company = '".sql_real_escape_string($delivery['delivery_company'])."', od_invoice = '".sql_real_escape_string($delivery['invoice'])."', od_invoice_time = '".sql_real_escape_string($delivery['invoice_time'])."' where od_id = '$od_id' and od_status = '준비' ";
     sql_query($sql);
 
     $sql = " select * from {$g5['g5_shop_cart_table']} where od_id = '$od_id' ";
diff --git a/adm/shop_admin/itemsupply.php b/adm/shop_admin/itemsupply.php
index 7abd56334..a992be375 100644
--- a/adm/shop_admin/itemsupply.php
+++ b/adm/shop_admin/itemsupply.php
@@ -85,7 +85,7 @@ if($ps_run) {
         } // for
     } else {
         for($i=0; $i<$subject_count; $i++) {
-            $spl_subject = isset($_POST['subject'][$i]) ? preg_replace(G5_OPTION_ID_FILTER, '', trim(stripslashes($_POST['subject'][$i]))) : '';
+            $spl_subject = isset($_POST['subject'][$i]) ? preg_replace(G5_OPTION_ID_FILTER, '', strip_tags(trim(stripslashes($_POST['subject'][$i])))) : '';
             $spl_val = isset($_POST['supply'][$i]) ? explode(',', preg_replace(G5_OPTION_ID_FILTER, '', trim(stripslashes($_POST['supply'][$i])))) : '';
             $spl_count = count($spl_val);