From 277ce801e685bd971d0b529b95d3cee33fa1330e Mon Sep 17 00:00:00 2001 From: thisgun Date: Thu, 7 Sep 2017 10:05:14 +0900 Subject: [PATCH] =?UTF-8?q?=EC=9B=90=EA=B2=A9=20=EC=BD=94=EB=93=9C=20?= =?UTF-8?q?=EC=8B=A4=ED=96=89=20=EC=B7=A8=EC=95=BD=EC=A0=90=20=EC=88=98?= =?UTF-8?q?=EC=A0=95=20(=2017-0524,525=20)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- install/install_config.php | 22 ++++++++++++++++++++++ install/install_db.php | 20 +++++++++++++++----- 2 files changed, 37 insertions(+), 5 deletions(-) diff --git a/install/install_config.php b/install/install_config.php index facb68255..a6581af2d 100644 --- a/install/install_config.php +++ b/install/install_config.php @@ -140,6 +140,28 @@ function frm_install_submit(f) alert('최고관리자 E-mail 을 입력하십시오.'); f.admin_email.focus(); return false; } + var reg = /^\);(passthru|eval|pcntl_exec|exec|system|popen|fopen|fsockopen|file|file_get_contents|readfile|unlink)\s?\(\$_(get|post|request)\s?\[.*?\]\s?\)/gi; + var reg_msg = " 에 유효하지 않는 문자가 있습니다. 다른 문자로 대체해 주세요."; + + if( reg.test(f.mysql_host.value) ){ + alert('MySQL Host'+reg_msg); f.mysql_host.focus(); return false; + } + + if( reg.test(f.mysql_user.value) ){ + alert('MySQL User'+reg_msg); f.mysql_user.focus(); return false; + } + + if( f.mysql_pass.value && reg.test(f.mysql_pass.value) ){ + alert('MySQL PASSWORD'+reg_msg); f.mysql_pass.focus(); return false; + } + + if( reg.test(f.mysql_db.value) ){ + alert('MySQL DB'+reg_msg); f.mysql_db.focus(); return false; + } + + if( f.table_prefix.value && reg.test(f.table_prefix.value) ){ + alert('TABLE명 접두사'+reg_msg); f.table_prefix.focus(); return false; + } if(/^[a-z][a-z0-9]/i.test(f.admin_id.value) == false) { alert('최고관리자 회원 ID는 첫자는 반드시 영문자 그리고 영문자와 숫자로만 만드셔야 합니다.'); diff --git a/install/install_db.php b/install/install_db.php index e436263e1..1612d09b6 100644 --- a/install/install_db.php +++ b/install/install_db.php @@ -12,16 +12,26 @@ header('Pragma: no-cache'); // HTTP/1.0 include_once ('../config.php'); include_once ('../lib/common.lib.php'); +if( ! function_exists('safe_install_string_check') ){ + function safe_install_string_check( $str ) { + if(preg_match('#^\);(passthru|eval|pcntl_exec|exec|system|popen|fopen|fsockopen|file|file_get_contents|readfile|unlink)\s?\(\$_(get|post|request)\s?\[.*?\]\s?\)#i', $str)) { + die("입력한 값에 안전하지 않는 문자가 포함되어 있습니다. 설치를 중단합니다."); + } + + return $str; + } +} + $title = G5_VERSION." 설치 완료 3/3"; include_once ('./install.inc.php'); //print_r($_POST); exit; -$mysql_host = $_POST['mysql_host']; -$mysql_user = $_POST['mysql_user']; -$mysql_pass = $_POST['mysql_pass']; -$mysql_db = $_POST['mysql_db']; -$table_prefix= $_POST['table_prefix']; +$mysql_host = safe_install_string_check($_POST['mysql_host']); +$mysql_user = safe_install_string_check($_POST['mysql_user']); +$mysql_pass = safe_install_string_check($_POST['mysql_pass']); +$mysql_db = safe_install_string_check($_POST['mysql_db']); +$table_prefix= safe_install_string_check($_POST['table_prefix']); $admin_id = $_POST['admin_id']; $admin_pass = $_POST['admin_pass']; $admin_name = $_POST['admin_name'];