firstgarden/firstgarden-web-gnu
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Activity

host 가 inicis.com 의 주소가 아니라면 false 반환, XSS 취약점 해결 (03sunf님,220317)

Browse Source
This commit is contained in:
kagla
2022-03-17 11:17:22 +09:00
parent ae6190116f
commit 84a065c31b
1 changed files with 6 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
shop/inicis/libs/HttpClient.php
View File

@ -32,6 +32,12 @@ class HttpClient {
$data = substr($data, 1); // remove leading "&" $data = substr($data, 1); // remove leading "&"
$url_data = parse_url($url); $url_data = parse_url($url);
// host 가 inicis.com 의 주소가 아니라면 false 반환
// [scheme] => https, [host] => fcstdpay.inicis.com, [path] => /api/payAuth
if (preg_match("#inicis\.com$#", $url_data["host"]) == false) {
// error_log(print_r($url_data, 1));
return false;
}
if ($url_data["scheme"] == "https") { if ($url_data["scheme"] == "https") {
$this->ssl = "ssl://"; $this->ssl = "ssl://";