From 84a065c31b264611897d577338340dd87fb68ef6 Mon Sep 17 00:00:00 2001
From: kagla <kagla@naver.com>
Date: Thu, 17 Mar 2022 11:17:22 +0900
Subject: [PATCH] =?UTF-8?q?host=20=EA=B0=80=20inicis.com=20=EC=9D=98=20?=
 =?UTF-8?q?=EC=A3=BC=EC=86=8C=EA=B0=80=20=EC=95=84=EB=8B=88=EB=9D=BC?=
 =?UTF-8?q?=EB=A9=B4=20false=20=EB=B0=98=ED=99=98,=20XSS=20=EC=B7=A8?=
 =?UTF-8?q?=EC=95=BD=EC=A0=90=20=ED=95=B4=EA=B2=B0=20(03sunf=EB=8B=98,2203?=
 =?UTF-8?q?17)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 shop/inicis/libs/HttpClient.php | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/shop/inicis/libs/HttpClient.php b/shop/inicis/libs/HttpClient.php
index 2799437cf..2179eb82e 100644
--- a/shop/inicis/libs/HttpClient.php
+++ b/shop/inicis/libs/HttpClient.php
@@ -32,6 +32,12 @@ class HttpClient {
         $data = substr($data, 1); // remove leading "&"
         $url_data = parse_url($url);
 
+        // host 가 inicis.com 의 주소가 아니라면 false 반환
+        // [scheme] => https, [host] => fcstdpay.inicis.com, [path] => /api/payAuth
+        if (preg_match("#inicis\.com$#", $url_data["host"]) == false) {
+            // error_log(print_r($url_data, 1));
+            return false;
+        }
 
         if ($url_data["scheme"] == "https") {
             $this->ssl = "ssl://";