From 6e90622328c8be59dc78dcd44ef9aa71e66d285e Mon Sep 17 00:00:00 2001 From: chicpro Date: Tue, 23 Jun 2015 11:12:23 +0900 Subject: [PATCH] =?UTF-8?q?=EA=B7=B8=EB=88=84=EB=B3=B4=EB=93=9C=205.0.37?= =?UTF-8?q?=20=EC=88=98=EC=A0=95=EB=82=B4=EC=97=AD=20=EC=A0=81=EC=9A=A9=20?= =?UTF-8?q?=EB=B0=8F=20XSS=20=EC=B7=A8=EC=95=BD=EC=A0=90=20=EC=88=98?= =?UTF-8?q?=EC=A0=95?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- bbs/current_connect.php | 1 + bbs/member_confirm.php | 2 +- config.php | 2 +- head.php | 12 ++++++------ head.sub.php | 4 ++-- lib/common.lib.php | 36 +++++++++++++++++++++++++++++++++++- mobile/tail.php | 26 ++------------------------ tail.php | 26 ++------------------------ 8 files changed, 50 insertions(+), 59 deletions(-) diff --git a/bbs/current_connect.php b/bbs/current_connect.php index 686522564..5ad0e2a4e 100644 --- a/bbs/current_connect.php +++ b/bbs/current_connect.php @@ -12,6 +12,7 @@ $sql = " select a.mb_id, b.mb_nick, b.mb_name, b.mb_email, b.mb_homepage, b.mb_o order by a.lo_datetime desc "; $result = sql_query($sql); for ($i=0; $row=sql_fetch_array($result); $i++) { + $row['lo_url'] = get_text($row['lo_url']); $list[$i] = $row; if ($row['mb_id']) { diff --git a/bbs/member_confirm.php b/bbs/member_confirm.php index e3f1e9ab6..9f214f289 100644 --- a/bbs/member_confirm.php +++ b/bbs/member_confirm.php @@ -14,7 +14,7 @@ else $g5['title'] = '회원 비밀번호 확인'; include_once('./_head.sub.php'); -$url = $_GET['url']; +$url = clean_xss_tags($_GET['url']); // url 체크 check_url_host($url); diff --git a/config.php b/config.php index 613073dbb..ca8744855 100644 --- a/config.php +++ b/config.php @@ -5,7 +5,7 @@ ********************/ define('G5_VERSION', '그누보드5'); -define('G5_GNUBOARD_VER', '5.0.36'); +define('G5_GNUBOARD_VER', '5.0.37'); // 이 상수가 정의되지 않으면 각각의 개별 페이지는 별도로 실행될 수 없음 define('_GNUBOARD_', true); diff --git a/head.php b/head.php index c27416c4e..cccc0f2db 100644 --- a/head.php +++ b/head.php @@ -1,6 +1,12 @@ $val) { - $key = trim($key); + $key = strip_tags(trim($key)); $val = trim($val); switch($key) { @@ -2953,4 +2953,38 @@ function clean_query_string($query, $amp=true) return $str; } + +function get_device_change_url() +{ + $p = parse_url(G5_URL); + $href = $p['scheme'].'://'.$p['host']; + if(isset($p['port']) && $p['port']) + $href .= ':'.$p['port']; + $href .= $_SERVER['SCRIPT_NAME']; + + $q = array(); + $device = 'device='.(G5_IS_MOBILE ? 'pc' : 'mobile'); + + if($_SERVER['QUERY_STRING']) { + foreach($_GET as $key=>$val) { + if($key == 'device') + continue; + + $key = strip_tags($key); + $val = strip_tags($val); + + if($key && $val) + $q[$key] = $val; + } + } + + if(!empty($q)) { + $query = http_build_query($q, '', '&'); + $href .= '?'.$query.'&'.$device; + } else { + $href .= '?'.$device; + } + + return $href; +} ?> \ No newline at end of file diff --git a/mobile/tail.php b/mobile/tail.php index ceecca3fd..44d88ff22 100644 --- a/mobile/tail.php +++ b/mobile/tail.php @@ -25,30 +25,8 @@ if (!defined('_GNUBOARD_')) exit; // 개별 페이지 접근 불가 $val) { - if($key == 'device') - continue; - - $href .= $sep.$key.'='.$val; - $sep = '&'; - $seq++; - } - } - if($seq) - $href .= '&device=pc'; - else - $href .= '?device=pc'; -?> -PC 버전으로 보기 +if(G5_DEVICE_BUTTON_DISPLAY && G5_IS_MOBILE) { ?> +PC 버전으로 보기 $val) { - if($key == 'device') - continue; - - $href .= $sep.$key.'='.strip_tags($val); - $sep = '&'; - $seq++; - } - } - if($seq) - $href .= '&device=mobile'; - else - $href .= '?device=mobile'; -?> -모바일 버전으로 보기 +if(G5_DEVICE_BUTTON_DISPLAY && !G5_IS_MOBILE) { ?> +모바일 버전으로 보기