From 828b362f6764b4dab374afed70fd2c2ea583f15b Mon Sep 17 00:00:00 2001
From: thisgun <thisgun@naver.com>
Date: Tue, 9 Jul 2019 10:55:30 +0900
Subject: [PATCH] =?UTF-8?q?KVE-2019-1144=20XSS=20=EC=B7=A8=EC=95=BD?=
 =?UTF-8?q?=EC=A0=90=20=EC=88=98=EC=A0=95?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 yc4_import_run.php | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/yc4_import_run.php b/yc4_import_run.php
index 80753e13f..3afe2a5d6 100644
--- a/yc4_import_run.php
+++ b/yc4_import_run.php
@@ -1,6 +1,12 @@
 <?php
 include_once('./_common.php');
 
+$g4 = array();
+
+if( isset($_REQUEST['g4']) || isset($_GET['g4']) || isset($_POST['g4']) ){
+    die('잘못된 요청입니다');
+}
+
 ob_end_clean();
 
 include_once(G5_LIB_PATH.'/connect.lib.php');
@@ -178,6 +184,14 @@ document.onkeydown = noRefresh ;
         require($g4_config_file);
         require($shop_config_file);
 
+        if( $g4 && is_array($g4) ){
+           foreach($g4 as $k=>$v){
+               if( preg_match('/_table$/i', $k) ){
+                    $g4[$k] = preg_replace('/[^0-9A-Za-z_]/', '', $v);
+               }
+           }
+        }
+
         if(preg_replace('/[^a-z]/', '', strtolower($g4['charset'])) == 'euckr')
             $is_euckr = true;