KVE-2018-0729 영카트 원격코드인젝션 취약점 수정

2018-09-06 13:34:49 +09:00
parent d21010276a
commit 3df899179f
2 changed files with 3 additions and 1 deletions
--- a/lib/shop.lib.php
+++ b/lib/shop.lib.php
@ -2245,7 +2245,7 @@ function get_shop_order_data($od_id, $type='item')
 {
    global $g5;
    
-    $od_id = clean_xss_tags($od_id);
+    $od_id = preg_replace('/[^0-9a-z_-]/i', '', clean_xss_tags($od_id));

    if( $type == 'personal' ){
        $row = sql_fetch("select * from {$g5['g5_shop_personalpay_table']} where pp_id = $od_id ", false);