[KVE-2020-0200,0202]영카트 다중취약점 수정

2020-04-24 15:43:26 +09:00
parent 87c8abdf25
commit 340602a5b8
4 changed files with 15 additions and 13 deletions
--- a/adm/shop_admin/categoryform.php
+++ b/adm/shop_admin/categoryform.php
@ -5,6 +5,8 @@ include_once(G5_EDITOR_LIB);

 auth_check($auth[$sub_menu], "w");

+$ca_id = isset($ca_id) ? preg_replace('/[^0-9a-z]/i', '', $ca_id) : '';
+
 $sql_common = " from {$g5['g5_shop_category_table']} ";
 if ($is_admin != 'super')
    $sql_common .= " where ca_mb_id = '{$member['mb_id']}' ";
--- a/adm/shop_admin/itemdelete.inc.php
+++ b/adm/shop_admin/itemdelete.inc.php
@ -19,7 +19,7 @@ if (!function_exists("itemdelete")) {
        // 상품 이미지 삭제
        $dir_list = array();
        for($i=1; $i<=10; $i++) {
-            $file = G5_DATA_PATH.'/item/'.$it['it_img'.$i];
+            $file = G5_DATA_PATH.'/item/'.clean_relative_paths($it['it_img'.$i]);
            if(is_file($file) && $it['it_img'.$i]) {
                @unlink($file);
                $dir = dirname($file);
@ -78,9 +78,9 @@ if (!function_exists("itemdelete")) {
            else
                $data_path = $p['path'];

-            $destfile = G5_PATH.$data_path;
+            $destfile = G5_PATH.clean_relative_paths($data_path);

-            if(is_file($destfile))
+            if(is_file($destfile) && preg_match('/(\.(gif|jpe?g|png))$/i', $destfile))
                @unlink($destfile);
        }

@ -95,9 +95,9 @@ if (!function_exists("itemdelete")) {
            else
                $data_path = $p['path'];

-            $destfile = G5_PATH.$data_path;
+            $destfile = G5_PATH.clean_relative_paths($data_path);

-            if(is_file($destfile))
+            if(is_file($destfile) && preg_match('/(\.(gif|jpe?g|png))$/i', $destfile))
                @unlink($destfile);
        }
        //------------------------------------------------------------------------
--- a/install/install_config.php
+++ b/install/install_config.php
@ -67,7 +67,7 @@ $ajax_token = md5($tmp_str.$_SERVER['REMOTE_ADDR'].$_SERVER['DOCUMENT_ROOT']);
    <tr>
        <th scope="row"><label for="">쇼핑몰TABLE명 접두사</label></th>
        <td>
-            <span>가능한 변경하지 마십시오.</span>
+            <span>쇼핑몰TABLE명 접두사는 영문자, 숫자, _ 만 입력 가능합니다.</span>
            <input name="g5_shop_prefix" type="text" value="g5_shop_" id="g5_shop_prefix">
        </td>
    </tr>
--- a/install/install_db.php
+++ b/install/install_db.php
@ -23,11 +23,11 @@ include_once ('./install.inc.php');

 //print_r($_POST); exit;

-$mysql_host  = $_POST['mysql_host'];
-$mysql_user  = $_POST['mysql_user'];
-$mysql_pass  = $_POST['mysql_pass'];
-$mysql_db    = $_POST['mysql_db'];
-$table_prefix= $_POST['table_prefix'];
+$mysql_host  = safe_install_string_check($_POST['mysql_host']);
+$mysql_user  = safe_install_string_check($_POST['mysql_user']);
+$mysql_pass  = safe_install_string_check($_POST['mysql_pass']);
+$mysql_db    = safe_install_string_check($_POST['mysql_db']);
+$table_prefix= safe_install_string_check($_POST['table_prefix']);
 $admin_id    = $_POST['admin_id'];
 $admin_pass  = $_POST['admin_pass'];
 $admin_name  = $_POST['admin_name'];
@ -35,10 +35,10 @@ $admin_email = $_POST['admin_email'];
 $g5_install = 0;
 if (isset($_POST['g5_install']))
    $g5_install  = $_POST['g5_install'];
-$g5_shop_prefix = $_POST['g5_shop_prefix'];
+$g5_shop_prefix = safe_install_string_check($_POST['g5_shop_prefix']);
 $g5_shop_install= $_POST['g5_shop_install'];

-if (preg_match("/[^0-9a-z_]+/i", $table_prefix) ) {
+if (preg_match("/[^0-9a-z_]+/i", $table_prefix) || preg_match("/[^0-9a-z_]+/i", $g5_shop_prefix)) {
    die('<div class="ins_inner"><p>TABLE명 접두사는 영문자, 숫자, _ 만 입력하세요.</p><div class="inner_btn"><a href="./install_config.php">뒤로가기</a></div></div>');
 }