From 32e9797fef86f3a04378fc42836931c39fd59b3a Mon Sep 17 00:00:00 2001
From: thisgun <thisgun@naver.com>
Date: Thu, 16 Jun 2022 12:29:11 +0900
Subject: [PATCH] =?UTF-8?q?[KVE-2022-0143]=20=EA=B7=B8=EB=88=84=EB=B3=B4?=
 =?UTF-8?q?=EB=93=9C=20Open=20Redirect,=20Reflected=20XSS=20=EC=B7=A8?=
 =?UTF-8?q?=EC=95=BD=EC=A0=90=20=EC=88=98=EC=A0=95?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 lib/common.lib.php | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/lib/common.lib.php b/lib/common.lib.php
index e65abf71f..2d36a7fb4 100644
--- a/lib/common.lib.php
+++ b/lib/common.lib.php
@@ -3352,7 +3352,9 @@ function check_url_host($url, $msg='', $return_url=G5_URL, $is_redirect=false)
         alert('url 에 올바르지 않은 값이 포함되어 있습니다.');
     }
 
-    $url = urldecode($url);
+    while ( ( $replace_url = preg_replace(array('/\/{2,}/', '/\\@/'), array('//', ''), urldecode($url)) ) != $url ) {
+        $url = $replace_url;
+    }
     $p = @parse_url(trim($url));
     $host = preg_replace('/:[0-9]+$/', '', $_SERVER['HTTP_HOST']);
     $is_host_check = false;