firstgarden/firstgarden-web-gnu
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Activity

옵션정보를 이용한 SQL Injection 취약점(16-682) 수정

Browse Source
This commit is contained in:
chicpro
2016-09-06 14:46:36 +09:00
parent 78a11a5230
commit 73bb020487
5 changed files with 19 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
adm/shop_admin/itemformupdate.php
View File

@ -214,6 +214,8 @@ if($option_count) {
// 옵션명
$opt1_cnt = $opt2_cnt = $opt3_cnt = 0;
for($i=0; $i<$option_count; $i++) {
$_POST['opt_id'][$i] = preg_replace(G5_OPTION_ID_FILTER, '', $_POST['opt_id'][$i]);
$opt_val = explode(chr(30), $_POST['opt_id'][$i]);
if($opt_val[0])
$opt1_cnt++;
@ -240,6 +242,8 @@ if($supply_count) {
// 추가옵션명
$arr_spl = array();
for($i=0; $i<$supply_count; $i++) {
$_POST['spl_id'][$i] = preg_replace(G5_OPTION_ID_FILTER, '', $_POST['spl_id'][$i]);
$spl_val = explode(chr(30), $_POST['spl_id'][$i]);
if(!in_array($spl_val[0], $arr_spl))
$arr_spl[] = $spl_val[0];

12
adm/shop_admin/itemoption.php
View File

@ -14,13 +14,13 @@ if($it['it_id']) {
if(sql_num_rows($result))
$po_run = true;
} else if(!empty($_POST)) {
$opt1_subject = preg_replace('/[\'\"]/', '', trim(stripslashes($_POST['opt1_subject'])));
$opt2_subject = preg_replace('/[\'\"]/', '', trim(stripslashes($_POST['opt2_subject'])));
$opt3_subject = preg_replace('/[\'\"]/', '', trim(stripslashes($_POST['opt3_subject'])));
$opt1_subject = preg_replace(G5_OPTION_ID_FILTER, '', trim(stripslashes($_POST['opt1_subject'])));
$opt2_subject = preg_replace(G5_OPTION_ID_FILTER, '', trim(stripslashes($_POST['opt2_subject'])));
$opt3_subject = preg_replace(G5_OPTION_ID_FILTER, '', trim(stripslashes($_POST['opt3_subject'])));
$opt1_val = preg_replace('/[\'\"]/', '', trim(stripslashes($_POST['opt1'])));
$opt2_val = preg_replace('/[\'\"]/', '', trim(stripslashes($_POST['opt2'])));
$opt3_val = preg_replace('/[\'\"]/', '', trim(stripslashes($_POST['opt3'])));
$opt1_val = preg_replace(G5_OPTION_ID_FILTER, '', trim(stripslashes($_POST['opt1'])));
$opt2_val = preg_replace(G5_OPTION_ID_FILTER, '', trim(stripslashes($_POST['opt2'])));
$opt3_val = preg_replace(G5_OPTION_ID_FILTER, '', trim(stripslashes($_POST['opt3'])));
if(!$opt1_subject || !$opt1_val) {
echo '옵션1과 옵션1 항목을 입력해 주십시오.';

4
adm/shop_admin/itemsupply.php
View File

@ -84,8 +84,8 @@ if($ps_run) {
} // for
} else {
for($i=0; $i<$subject_count; $i++) {
$spl_subject = preg_replace('/[\'\"]/', '', trim(stripslashes($_POST['subject'][$i])));
$spl_val = explode(',', preg_replace('/[\'\"]/', '', trim(stripslashes($_POST['supply'][$i]))));
$spl_subject = preg_replace(G5_OPTION_ID_FILTER, '', trim(stripslashes($_POST['subject'][$i])));
$spl_val = explode(',', preg_replace(G5_OPTION_ID_FILTER, '', trim(stripslashes($_POST['supply'][$i]))));
$spl_count = count($spl_val);
for($j=0; $j<$spl_count; $j++) {

3
shop.config.php
View File

@ -65,6 +65,9 @@ if(!defined('_THEME_PREVIEW_')) {
}
}
// 옵션 ID 특수문자 필터링 패턴
define('G5_OPTION_ID_FILTER', '/[\'\"\\\'\\\"]/');
/*
// 주문상태 상수
define('G5_OD_STATUS_ORDER' , '입금확인중');

8
shop/cartupdate.php
View File

@ -197,8 +197,8 @@ else // 장바구니에 담기
// 이미 주문폼에 있는 같은 상품의 수량합계를 구한다.
if($sw_direct) {
for($k=0; $k<$opt_count; $k++) {
$io_id = $_POST['io_id'][$it_id][$k];
$io_type = $_POST['io_type'][$it_id][$k];
$io_id = preg_replace(G5_OPTION_ID_FILTER, '', $_POST['io_id'][$it_id][$k]);
$io_type = preg_replace('#[^01]#', '', $_POST['io_type'][$it_id][$k]);
$io_value = $_POST['io_value'][$it_id][$k];
$sql = " select SUM(ct_qty) as cnt from {$g5['g5_shop_cart_table']}
@ -248,8 +248,8 @@ else // 장바구니에 담기
VALUES ";
for($k=0; $k<$opt_count; $k++) {
$io_id = $_POST['io_id'][$it_id][$k];
$io_type = $_POST['io_type'][$it_id][$k];
$io_id = preg_replace(G5_OPTION_ID_FILTER, '', $_POST['io_id'][$it_id][$k]);
$io_type = preg_replace('#[^01]#', '', $_POST['io_type'][$it_id][$k]);
$io_value = $_POST['io_value'][$it_id][$k];
// 선택옵션정보가 존재하는데 선택된 옵션이 없으면 건너뜀