firstgarden/firstgarden-web-gnu
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Activity

[KVE-2025-0464]영카트 XSS 취약점 수정

Browse Source
This commit is contained in:
thisgun
2025-08-27 17:58:06 +09:00
parent 5da91ab73e
commit 6a3c2b1002
4 changed files with 42 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

36
adm/shop_admin/itemformupdate.php
View File

@ -235,6 +235,14 @@ sql_query(" delete from {$g5['g5_shop_event_item_table']} where it_id = '$it_id'
// 선택옵션
sql_query(" delete from {$g5['g5_shop_item_option_table']} where io_type = '0' and it_id = '$it_id' "); // 기존선택옵션삭제
// 금지할 패턴 목록
$forbidden_patterns = array(
'/<\s*script/i', // <script>
'/<\s*iframe/i', // <iframe>
'/on\w+\s*=/i', // onclick=, onerror= 등 이벤트 핸들러
'/javascript:/i' // javascript: 프로토콜
);
$option_count = (isset($_POST['opt_id']) && is_array($_POST['opt_id'])) ? count($_POST['opt_id']) : array();
$it_option_subject = '';
$it_supply_subject = '';
@ -243,8 +251,18 @@ if($option_count) {
// 옵션명
$opt1_cnt = $opt2_cnt = $opt3_cnt = 0;
for($i=0; $i<$option_count; $i++) {
$post_opt_id = isset($_POST['opt_id'][$i]) ? preg_replace(G5_OPTION_ID_FILTER, '', strip_tags($_POST['opt_id'][$i])) : '';
$post_opt_id = isset($_POST['opt_id'][$i]) ? $_POST['opt_id'][$i] : '';
foreach ($forbidden_patterns as $pattern) {
if (preg_match($pattern, $post_opt_id)) {
$post_opt_id = '';
$_POST['opt_id'][$i] = '';
continue 2;
}
}
$post_opt_id = preg_replace(G5_OPTION_ID_FILTER, '', strip_tags($post_opt_id));
$opt_val = explode(chr(30), $post_opt_id);
if(isset($opt_val[0]) && $opt_val[0])
$opt1_cnt++;
@ -271,8 +289,18 @@ if($supply_count) {
// 추가옵션명
$arr_spl = array();
for($i=0; $i<$supply_count; $i++) {
$post_spl_id = isset($_POST['spl_id'][$i]) ? preg_replace(G5_OPTION_ID_FILTER, '', strip_tags($_POST['spl_id'][$i])) : '';
$post_spl_id = isset($_POST['spl_id'][$i]) ? $_POST['spl_id'][$i] : '';
foreach ($forbidden_patterns as $pattern) {
if (preg_match($pattern, $post_spl_id)) {
$post_spl_id = '';
$_POST['spl_id'][$i] = '';
continue 2;
}
}
$post_spl_id = preg_replace(G5_OPTION_ID_FILTER, '', strip_tags($post_spl_id));
$spl_val = explode(chr(30), $post_spl_id);
if(!in_array($spl_val[0], $arr_spl))
$arr_spl[] = $spl_val[0];

4
adm/shop_admin/itemoption.php
View File

@ -84,11 +84,11 @@ if($po_run) {
?>
<tr>
<td class="td_chk">
<input type="hidden" name="opt_id[]" value="<?php echo $opt_id; ?>">
<input type="hidden" name="opt_id[]" value="<?php echo get_text($opt_id); ?>">
<label for="opt_chk_<?php echo $i; ?>" class="sound_only"></label>
<input type="checkbox" name="opt_chk[]" id="opt_chk_<?php echo $i; ?>" value="1">
</td>
<td class="opt-cell"><?php echo $opt_1; if ($opt_2_len) echo ' <small>&gt;</small> '.$opt_2; if ($opt_3_len) echo ' <small>&gt;</small> '.$opt_3; ?></td>
<td class="opt-cell"><?php echo get_text($opt_1); if ($opt_2_len) echo ' <small>&gt;</small> '.get_text($opt_2); if ($opt_3_len) echo ' <small>&gt;</small> '.get_text($opt_3); ?></td>
<td class="td_numsmall">
<label for="opt_price_<?php echo $i; ?>" class="sound_only"></label>
<input type="text" name="opt_price[]" value="<?php echo $opt_price; ?>" id="opt_price_<?php echo $i; ?>" class="frm_input" size="9">

8
adm/shop_admin/itemsupply.php
View File

@ -55,12 +55,12 @@ if($ps_run) {
?>
<tr>
<td class="td_chk">
<input type="hidden" name="spl_id[]" value="<?php echo $spl_id; ?>">
<label for="spl_chk_<?php echo $i; ?>" class="sound_only"><?php echo $spl_subject.' '.$spl; ?></label>
<input type="hidden" name="spl_id[]" value="<?php echo get_text($spl_id); ?>">
<label for="spl_chk_<?php echo $i; ?>" class="sound_only"><?php echo get_text($spl_subject.' '.$spl); ?></label>
<input type="checkbox" name="spl_chk[]" id="spl_chk_<?php echo $i; ?>" value="1">
</td>
<td class="spl-subject-cell"><?php echo $spl_subject; ?></td>
<td class="spl-cell"><?php echo $spl; ?></td>
<td class="spl-subject-cell"><?php echo get_text($spl_subject); ?></td>
<td class="spl-cell"><?php echo get_text($spl); ?></td>
<td class="td_numsmall">
<label for="spl_price_<?php echo $i; ?>" class="sound_only">상품금액</label>
<input type="text" name="spl_price[]" value="<?php echo $spl_price; ?>" id="spl_price_<?php echo $i; ?>" class="frm_input" size="5">

8
lib/shop.lib.php
View File

@ -1010,7 +1010,7 @@ function get_item_options($it_id, $subject, $is_div='', $is_first_option_title='
for($k=0; $k<$opt_count; $k++) {
$opt_val = $opt[$k];
if(strlen($opt_val)) {
$select .= '<option value="'.$opt_val.'">'.$opt_val.'</option>'.PHP_EOL;
$select .= '<option value="'.get_text($opt_val).'">'.get_text($opt_val).'</option>'.PHP_EOL;
}
}
$select .= '</select>'.PHP_EOL;
@ -1046,7 +1046,7 @@ function get_item_options($it_id, $subject, $is_div='', $is_first_option_title='
else
$soldout = '';
$select .= '<option value="'.$row['io_id'].','.$row['io_price'].','.$row['io_stock_qty'].'">'.$row['io_id'].$price.$soldout.'</option>'.PHP_EOL;
$select .= '<option value="'.get_text($row['io_id']).','.$row['io_price'].','.$row['io_stock_qty'].'">'.get_text($row['io_id']).$price.$soldout.'</option>'.PHP_EOL;
}
$select .= '</select>'.PHP_EOL;
@ -1101,7 +1101,7 @@ function get_item_supply($it_id, $subject, $is_div='', $is_first_option_title=''
else
$soldout = '';
$options[$opt_id[0]][] = '<option value="'.$opt_id[1].','.$row['io_price'].','.$io_stock_qty.'">'.$opt_id[1].$price.$soldout.'</option>';
$options[$opt_id[0]][] = '<option value="'.get_text($opt_id[1]).','.$row['io_price'].','.$io_stock_qty.'">'.get_text($opt_id[1]).$price.$soldout.'</option>';
}
}
@ -1122,7 +1122,7 @@ function get_item_supply($it_id, $subject, $is_div='', $is_first_option_title=''
$first_option_title = $is_first_option_title ? $subj[$i] : '선택';
$select = '<select id="it_supply_'.$seq.'" class="it_supply">'.PHP_EOL;
$select .= '<option value="">'.$first_option_title.'</option>'.PHP_EOL;
$select .= '<option value="">'.get_text($first_option_title).'</option>'.PHP_EOL;
for($k=0; $k<$opt_count; $k++) {
$opt_val = $opt[$k];
if($opt_val) {