비밀 댓글 노출 취약점(16-067) 수정

mobile/skin/board/basic/view_comment.skin.php

@@ -53,8 +53,10 @@ var char_max = parseInt(<?php echo $comment_max ?>); // 최대
             $query_string = clean_query_string($_SERVER['QUERY_STRING']);
 
             if($w == 'cu') {
-                $sql = " select wr_id, wr_content from $write_table where wr_id = '$c_id' and wr_is_comment = '1' ";
+                $sql = " select wr_id, wr_content, mb_id from $write_table where wr_id = '$c_id' and wr_is_comment = '1' ";
                 $cmt = sql_fetch($sql);
+                if (!($is_admin || ($member['mb_id'] == $cmt['mb_id'] && $cmt['mb_id'])))
+                    $cmt['wr_content'] = '';
                 $c_wr_content = $cmt['wr_content'];
             }
 

mobile/skin/board/gallery/view_comment.skin.php

@@ -53,8 +53,10 @@ var char_max = parseInt(<?php echo $comment_max ?>); // 최대
             $query_string = clean_query_string($_SERVER['QUERY_STRING']);
 
             if($w == 'cu') {
-                $sql = " select wr_id, wr_content from $write_table where wr_id = '$c_id' and wr_is_comment = '1' ";
+                $sql = " select wr_id, wr_content, mb_id from $write_table where wr_id = '$c_id' and wr_is_comment = '1' ";
                 $cmt = sql_fetch($sql);
+                if (!($is_admin || ($member['mb_id'] == $cmt['mb_id'] && $cmt['mb_id'])))
+                    $cmt['wr_content'] = '';
                 $c_wr_content = $cmt['wr_content'];
             }
 

skin/board/basic/view_comment.skin.php

@@ -59,8 +59,10 @@ var char_max = parseInt(<?php echo $comment_max ?>); // 최대
             $query_string = clean_query_string($_SERVER['QUERY_STRING']);
 
             if($w == 'cu') {
-                $sql = " select wr_id, wr_content from $write_table where wr_id = '$c_id' and wr_is_comment = '1' ";
+                $sql = " select wr_id, wr_content, mb_id from $write_table where wr_id = '$c_id' and wr_is_comment = '1' ";
                 $cmt = sql_fetch($sql);
+                if (!($is_admin || ($member['mb_id'] == $cmt['mb_id'] && $cmt['mb_id'])))
+                    $cmt['wr_content'] = '';
                 $c_wr_content = $cmt['wr_content'];
             }
 

skin/board/gallery/view_comment.skin.php

@@ -59,8 +59,10 @@ var char_max = parseInt(<?php echo $comment_max ?>); // 최대
             $query_string = clean_query_string($_SERVER['QUERY_STRING']);
 
             if($w == 'cu') {
-                $sql = " select wr_id, wr_content from $write_table where wr_id = '$c_id' and wr_is_comment = '1' ";
+                $sql = " select wr_id, wr_content, mb_id from $write_table where wr_id = '$c_id' and wr_is_comment = '1' ";
                 $cmt = sql_fetch($sql);
+                if (!($is_admin || ($member['mb_id'] == $cmt['mb_id'] && $cmt['mb_id'])))
+                    $cmt['wr_content'] = '';
                 $c_wr_content = $cmt['wr_content'];
             }
 

theme/basic/mobile/skin/board/basic/view_comment.skin.php

@@ -53,8 +53,10 @@ var char_max = parseInt(<?php echo $comment_max ?>); // 최대
             $query_string = clean_query_string($_SERVER['QUERY_STRING']);
 
             if($w == 'cu') {
-                $sql = " select wr_id, wr_content from $write_table where wr_id = '$c_id' and wr_is_comment = '1' ";
+                $sql = " select wr_id, wr_content, mb_id from $write_table where wr_id = '$c_id' and wr_is_comment = '1' ";
                 $cmt = sql_fetch($sql);
+                if (!($is_admin || ($member['mb_id'] == $cmt['mb_id'] && $cmt['mb_id'])))
+                    $cmt['wr_content'] = '';
                 $c_wr_content = $cmt['wr_content'];
             }
 

theme/basic/mobile/skin/board/gallery/view_comment.skin.php

@@ -53,8 +53,10 @@ var char_max = parseInt(<?php echo $comment_max ?>); // 최대
             $query_string = clean_query_string($_SERVER['QUERY_STRING']);
 
             if($w == 'cu') {
-                $sql = " select wr_id, wr_content from $write_table where wr_id = '$c_id' and wr_is_comment = '1' ";
+                $sql = " select wr_id, wr_content, mb_id from $write_table where wr_id = '$c_id' and wr_is_comment = '1' ";
                 $cmt = sql_fetch($sql);
+                if (!($is_admin || ($member['mb_id'] == $cmt['mb_id'] && $cmt['mb_id'])))
+                    $cmt['wr_content'] = '';
                 $c_wr_content = $cmt['wr_content'];
             }
 

theme/basic/skin/board/basic/view_comment.skin.php

@@ -59,8 +59,10 @@ var char_max = parseInt(<?php echo $comment_max ?>); // 최대
             $query_string = clean_query_string($_SERVER['QUERY_STRING']);
 
             if($w == 'cu') {
-                $sql = " select wr_id, wr_content from $write_table where wr_id = '$c_id' and wr_is_comment = '1' ";
+                $sql = " select wr_id, wr_content, mb_id from $write_table where wr_id = '$c_id' and wr_is_comment = '1' ";
                 $cmt = sql_fetch($sql);
+                if (!($is_admin || ($member['mb_id'] == $cmt['mb_id'] && $cmt['mb_id'])))
+                    $cmt['wr_content'] = '';
                 $c_wr_content = $cmt['wr_content'];
             }
 

theme/basic/skin/board/gallery/view_comment.skin.php

@@ -59,8 +59,10 @@ var char_max = parseInt(<?php echo $comment_max ?>); // 최대
             $query_string = clean_query_string($_SERVER['QUERY_STRING']);
 
             if($w == 'cu') {
-                $sql = " select wr_id, wr_content from $write_table where wr_id = '$c_id' and wr_is_comment = '1' ";
+                $sql = " select wr_id, wr_content, mb_id from $write_table where wr_id = '$c_id' and wr_is_comment = '1' ";
                 $cmt = sql_fetch($sql);
+                if (!($is_admin || ($member['mb_id'] == $cmt['mb_id'] && $cmt['mb_id'])))
+                    $cmt['wr_content'] = '';
                 $c_wr_content = $cmt['wr_content'];
             }