From 87bb2f1d8a440c0325ed9dec0a2db6ab86a4815d Mon Sep 17 00:00:00 2001 From: thisgun Date: Mon, 2 Mar 2020 22:08:54 +0900 Subject: [PATCH] =?UTF-8?q?[KVE-2020-0097,0113,0114,0056]=EA=B7=B8?= =?UTF-8?q?=EB=88=84=EB=B3=B4=EB=93=9C=20=EB=8B=A4=EC=A4=91=20=EC=B7=A8?= =?UTF-8?q?=EC=95=BD=EC=A0=90=20=EC=88=98=EC=A0=95?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- adm/board_form_update.php | 5 +++++ adm/contentformupdate.php | 5 +++++ adm/qa_config_update.php | 5 +++++ lib/common.lib.php | 11 +++++++++-- plugin/social/register_member_update.php | 5 +++++ 5 files changed, 29 insertions(+), 2 deletions(-) diff --git a/adm/board_form_update.php b/adm/board_form_update.php index 8ddb1840c..b0bbf6889 100644 --- a/adm/board_form_update.php +++ b/adm/board_form_update.php @@ -60,6 +60,11 @@ if(!is_include_path_check($bo_include_tail, 1)) { alert('하단 파일 경로에 포함시킬수 없는 문자열이 있습니다.'); } +if( function_exists('filter_input_include_path') ){ + $bo_include_head = filter_input_include_path($bo_include_head); + $bo_include_tail = filter_input_include_path($bo_include_tail); +} + $board_path = G5_DATA_PATH.'/file/'.$bo_table; // 게시판 디렉토리 생성 diff --git a/adm/contentformupdate.php b/adm/contentformupdate.php index 58437acda..af8c35007 100644 --- a/adm/contentformupdate.php +++ b/adm/contentformupdate.php @@ -71,6 +71,11 @@ if( $co_include_tail && ! is_include_path_check($co_include_tail, 1) ){ $error_msg = '/data/file/ 또는 /data/editor/ 포함된 문자를 하단 파일 경로에 포함시킬수 없습니다.'; } +if( function_exists('filter_input_include_path') ){ + $co_include_head = filter_input_include_path($co_include_head); + $co_include_tail = filter_input_include_path($co_include_tail); +} + $co_seo_title = exist_seo_title_recursive('content', generate_seo_title($co_subject), $g5['content_table'], $co_id); $sql_common = " co_include_head = '$co_include_head', diff --git a/adm/qa_config_update.php b/adm/qa_config_update.php index 38b3eaddd..829c78adb 100644 --- a/adm/qa_config_update.php +++ b/adm/qa_config_update.php @@ -56,6 +56,11 @@ if( $qa_include_tail && ! is_include_path_check($qa_include_tail, 1) ){ $error_msg = '/data/file/ 또는 /data/editor/ 포함된 문자를 하단 파일 경로에 포함시킬수 없습니다.'; } +if( function_exists('filter_input_include_path') ){ + $qa_include_head = filter_input_include_path($qa_include_head); + $qa_include_tail = filter_input_include_path($qa_include_tail); +} + $sql = " update {$g5['qa_config_table']} set qa_title = '{$_POST['qa_title']}', qa_category = '{$_POST['qa_category']}', diff --git a/lib/common.lib.php b/lib/common.lib.php index 4b51dc930..7fe2d53ae 100644 --- a/lib/common.lib.php +++ b/lib/common.lib.php @@ -3022,6 +3022,9 @@ function clean_xss_tags($str, $check_entities=0) if( $check_entities ){ $result = str_replace(array(':', '(', ')', ' ', ' '), '', $result); } + + $result = preg_replace('#([^\p{L}]|^)(?:javascript|jar|applescript|vbscript|vbs|wscript|jscript|behavior|mocha|livescript|view-source)\s*:(?:.*?([/\\\;()\'">]|$))#ius', + '$1$2', $result); if((string)$result === (string)$str) break; @@ -3695,10 +3698,10 @@ function is_include_path_check($path='', $is_input='') // 장태진 @jtjisgod 추가 // 보안 목적 : rar wrapper 차단 - if( stripos($path, 'rar:') !== false || stripos($path, 'php:') !== false || stripos($path, 'zlib:') !== false || stripos($path, 'bzip2:') !== false || stripos($path, 'zip:') !== false || stripos($path, 'data:') !== false || stripos($path, 'phar:') !== false || stripos($path, 'file:') !== false ){ + if( stripos($path, 'rar:') !== false || stripos($path, 'php:') !== false || stripos($path, 'zlib:') !== false || stripos($path, 'bzip2:') !== false || stripos($path, 'zip:') !== false || stripos($path, 'data:') !== false || stripos($path, 'phar:') !== false || stripos($path, 'file:') !== false || stripos($path, '://') !== false ){ return false; } - + $replace_path = str_replace('\\', '/', $path); $slash_count = substr_count(str_replace('\\', '/', $_SERVER['SCRIPT_NAME']), '/'); $peer_count = substr_count($replace_path, '../'); @@ -3767,6 +3770,10 @@ function is_include_path_check($path='', $is_input='') return true; } +function filter_input_include_path($path){ + return str_replace('//', '/', $path); +} + function option_array_checked($option, $arr=array()){ $checked = ''; diff --git a/plugin/social/register_member_update.php b/plugin/social/register_member_update.php index 748a82281..23b412fc9 100644 --- a/plugin/social/register_member_update.php +++ b/plugin/social/register_member_update.php @@ -53,6 +53,7 @@ if( ! isset($mb_password) || ! $mb_password ){ } +if ($msg = valid_mb_id($mb_id)) alert($msg, "", true, true); if ($msg = empty_mb_name($mb_name)) alert($msg, "", true, true); if ($msg = empty_mb_nick($mb_nick)) alert($msg, "", true, true); if ($msg = empty_mb_email($mb_email)) alert($msg, "", true, true); @@ -68,6 +69,10 @@ if ($msg = exist_mb_id($mb_id)) alert($msg); if ($msg = exist_mb_nick($mb_nick, $mb_id)) alert($msg, "", true, true); if ($msg = exist_mb_email($mb_email, $mb_id)) alert($msg, "", true, true); +if( $mb = get_member($mb_id) ){ + alert("이미 등록된 회원이 존재합니다.", G5_URL); +} + $data = array( 'mb_id' => $mb_id, 'mb_password' => get_encrypt_string($mb_password),