Merge branch 'master' of github.com:gnuboard/g5

2020-03-03 12:01:16 +09:00
parent 1600f63dee 1395a8f338
commit 8dd2fe58e6
20 changed files with 82 additions and 18 deletions
--- a/adm/board_copy.php
+++ b/adm/board_copy.php
@ -31,7 +31,7 @@ include_once(G5_PATH.'/head.sub.php');
            </tr>
            <tr>
                <th scope="col"><label for="target_subject">게시판 제목<strong class="sound_only">필수</strong></label></th>
-                <td><input type="text" name="target_subject" value="[복사본] <?php echo $board['bo_subject'] ?>" id="target_subject" required class="required frm_input" maxlength="120"></td>
+                <td><input type="text" name="target_subject" value="[복사본] <?php echo get_sanitize_input($board['bo_subject']); ?>" id="target_subject" required class="required frm_input" maxlength="120"></td>
            </tr>
            <tr>
                <th scope="col">복사 유형</th>
--- a/adm/board_copy_update.php
+++ b/adm/board_copy_update.php
@ -11,6 +11,8 @@ check_admin_token();
 $target_table   = trim($_POST['target_table']);
 $target_subject = trim($_POST['target_subject']);

+$target_subject = strip_tags(clean_xss_attributes($target_subject));
+
 if (!preg_match('/[A-Za-z0-9_]{1,20}/', $target_table)) {
    alert('게시판 TABLE명은 공백없이 영문자, 숫자, _ 만 사용 가능합니다. (20자 이내)');
 }
--- a/adm/board_form_update.php
+++ b/adm/board_form_update.php
@ -60,6 +60,11 @@ if(!is_include_path_check($bo_include_tail, 1)) {
    alert('하단 파일 경로에 포함시킬수 없는 문자열이 있습니다.');
 }

+if( function_exists('filter_input_include_path') ){
+    $bo_include_head = filter_input_include_path($bo_include_head);
+    $bo_include_tail = filter_input_include_path($bo_include_tail);
+}
+
 $board_path = G5_DATA_PATH.'/file/'.$bo_table;

 // 게시판 디렉토리 생성
--- a/adm/contentformupdate.php
+++ b/adm/contentformupdate.php
@ -71,6 +71,11 @@ if( $co_include_tail && ! is_include_path_check($co_include_tail, 1) ){
    $error_msg = '/data/file/ 또는 /data/editor/ 포함된 문자를 하단 파일 경로에 포함시킬수 없습니다.';
 }

+if( function_exists('filter_input_include_path') ){
+    $co_include_head = filter_input_include_path($co_include_head);
+    $co_include_tail = filter_input_include_path($co_include_tail);
+}
+
 $co_seo_title = exist_seo_title_recursive('content', generate_seo_title($co_subject), $g5['content_table'], $co_id);

 $sql_common = " co_include_head     = '$co_include_head',
--- a/adm/qa_config_update.php
+++ b/adm/qa_config_update.php
@ -56,6 +56,11 @@ if( $qa_include_tail && ! is_include_path_check($qa_include_tail, 1) ){
    $error_msg = '/data/file/ 또는 /data/editor/ 포함된 문자를 하단 파일 경로에 포함시킬수 없습니다.';
 }

+if( function_exists('filter_input_include_path') ){
+    $qa_include_head = filter_input_include_path($qa_include_head);
+    $qa_include_tail = filter_input_include_path($qa_include_tail);
+}
+
 $sql = " update {$g5['qa_config_table']}
            set qa_title                = '{$_POST['qa_title']}',
                qa_category             = '{$_POST['qa_category']}',
--- a/bbs/register_form.php
+++ b/bbs/register_form.php
@ -12,10 +12,13 @@ set_session("ss_cert_no",   "");
 set_session("ss_cert_hash", "");
 set_session("ss_cert_type", "");

+$is_social_login_modify = false;
+
 if( $provider && function_exists('social_nonce_is_valid') ){   //모바일로 소셜 연결을 했다면
    if( social_nonce_is_valid(get_session("social_link_token"), $provider) ){  //토큰값이 유효한지 체크
        $w = 'u';   //회원 수정으로 처리
        $_POST['mb_id'] = $member['mb_id'];
+        $is_social_login_modify = true;
    }
 }

@ -75,8 +78,14 @@ if ($w == "") {
    // 수정 후 다시 이 폼으로 돌아오기 위해 임시로 저장해 놓음
    set_session("ss_tmp_password", $_POST[mb_password]);
    */
+    
+    if($_POST['mb_id'] && ! (isset($_POST['mb_password']) && $_POST['mb_password'])){
+        if( ! $is_social_login_modify ){
+            alert('비밀번호를 입력해 주세요.');
+        }
+    }

-    if ($_POST['mb_password']) {
+    if (isset($_POST['mb_password'])) {
        // 수정된 정보를 업데이트후 되돌아 온것이라면 비밀번호가 암호화 된채로 넘어온것임
        if ($_POST['is_update']) {
            $tmp_password = $_POST['mb_password'];
--- a/config.php
+++ b/config.php
@ -5,7 +5,7 @@
 ********************/

 define('G5_VERSION', '그누보드5');
-define('G5_GNUBOARD_VER', '5.4.2');
+define('G5_GNUBOARD_VER', '5.4.2.1');

 // 이 상수가 정의되지 않으면 각각의 개별 페이지는 별도로 실행될 수 없음
 define('_GNUBOARD_', true);
--- a/install/install_db.php
+++ b/install/install_db.php
@ -292,7 +292,7 @@ for ($i=0; $i<count($tmp_bo_table); $i++)
    // 게시판 테이블 생성
    $file = file("../".G5_ADMIN_DIR."/sql_write.sql");
    $file = get_db_create_replace($file);
-    $sql = implode($file, "\n");
+    $sql = implode('\n', $file);

    $create_table = $table_prefix.'write_' . $tmp_bo_table[$i];

--- a/lib/common.lib.php
+++ b/lib/common.lib.php
@ -1801,7 +1801,7 @@ function get_table_define($table, $crlf="\n")

    $schema_create .= $crlf . ') ENGINE=MyISAM DEFAULT CHARSET=utf8';

-    return $schema_create;
+    return get_db_create_replace($schema_create);
 } // end of the 'PMA_getTableDef()' function


@ -3022,6 +3022,9 @@ function clean_xss_tags($str, $check_entities=0)
        if( $check_entities ){
            $result = str_replace(array('&colon;', '&lpar;', '&rpar;', '&NewLine;', '&Tab;'), '', $result);
        }
+        
+        $result = preg_replace('#([^\p{L}]|^)(?:javascript|jar|applescript|vbscript|vbs|wscript|jscript|behavior|mocha|livescript|view-source)\s*:(?:.*?([/\\\;()\'">]|$))#ius',
+                '$1$2', $result);

        if((string)$result === (string)$str) break;

@ -3035,7 +3038,30 @@ function clean_xss_tags($str, $check_entities=0)
 // XSS 어트리뷰트 태그 제거
 function clean_xss_attributes($str)
 {
-    $str = preg_replace('#(onabort|onactivate|onafterprint|onafterupdate|onbeforeactivate|onbeforecopy|onbeforecut|onbeforedeactivate|onbeforeeditfocus|onbeforepaste|onbeforeprint|onbeforeunload|onbeforeupdate|onblur|onbounce|oncellchange|onchange|onclick|oncontextmenu|oncontrolselect|oncopy|oncut|ondataavaible|ondatasetchanged|ondatasetcomplete|ondblclick|ondeactivate|ondrag|ondragdrop|ondragend|ondragenter|ondragleave|ondragover|ondragstart|ondrop|onerror|onerrorupdate|onfilterupdate|onfinish|onfocus|onfocusin|onfocusout|onhelp|onkeydown|onkeypress|onkeyup|onlayoutcomplete|onload|onlosecapture|onmousedown|onmouseenter|onmouseleave|onmousemove|onmoveout|onmouseover|onmouseup|onmousewheel|onmove|onmoveend|onmovestart|onpaste|onpropertychange|onreadystatechange|onreset|onresize|onresizeend|onresizestart|onrowexit|onrowsdelete|onrowsinserted|onscroll|onselect|onselectionchange|onselectstart|onstart|onstop|onsubmit|onunload)\\s*=\\s*\\\?".*?"#is', '', $str);
+    $xss_attributes_string = 'onAbort|onActivate|onAttribute|onAfterPrint|onAfterScriptExecute|onAfterUpdate|onAnimationCancel|onAnimationEnd|onAnimationIteration|onAnimationStart|onAriaRequest|onAutoComplete|onAutoCompleteError|onAuxClick|onBeforeActivate|onBeforeCopy|onBeforeCut|onBeforeDeactivate|onBeforeEditFocus|onBeforePaste|onBeforePrint|onBeforeScriptExecute|onBeforeUnload|onBeforeUpdate|onBegin|onBlur|onBounce|onCancel|onCanPlay|onCanPlayThrough|onCellChange|onChange|onClick|onClose|onCommand|onCompassNeedsCalibration|onContextMenu|onControlSelect|onCopy|onCueChange|onCut|onDataAvailable|onDataSetChanged|onDataSetComplete|onDblClick|onDeactivate|onDeviceLight|onDeviceMotion|onDeviceOrientation|onDeviceProximity|onDrag|onDragDrop|onDragEnd|onDragEnter|onDragLeave|onDragOver|onDragStart|onDrop|onDurationChange|onEmptied|onEnd|onEnded|onError|onErrorUpdate|onExit|onFilterChange|onFinish|onFocus|onFocusIn|onFocusOut|onFormChange|onFormInput|onFullScreenChange|onFullScreenError|onGotPointerCapture|onHashChange|onHelp|onInput|onInvalid|onKeyDown|onKeyPress|onKeyUp|onLanguageChange|onLayoutComplete|onLoad|onLoadedData|onLoadedMetaData|onLoadStart|onLoseCapture|onLostPointerCapture|onMediaComplete|onMediaError|onMessage|onMouseDown|onMouseEnter|onMouseLeave|onMouseMove|onMouseOut|onMouseOver|onMouseUp|onMouseWheel|onMove|onMoveEnd|onMoveStart|onMozFullScreenChange|onMozFullScreenError|onMozPointerLockChange|onMozPointerLockError|onMsContentZoom|onMsFullScreenChange|onMsFullScreenError|onMsGestureChange|onMsGestureDoubleTap|onMsGestureEnd|onMsGestureHold|onMsGestureStart|onMsGestureTap|onMsGotPointerCapture|onMsInertiaStart|onMsLostPointerCapture|onMsManipulationStateChanged|onMsPointerCancel|onMsPointerDown|onMsPointerEnter|onMsPointerLeave|onMsPointerMove|onMsPointerOut|onMsPointerOver|onMsPointerUp|onMsSiteModeJumpListItemRemoved|onMsThumbnailClick|onOffline|onOnline|onOutOfSync|onPage|onPageHide|onPageShow|onPaste|onPause|onPlay|onPlaying|onPointerCancel|onPointerDown|onPointerEnter|onPointerLeave|onPointerLockChange|onPointerLockError|onPointerMove|onPointerOut|onPointerOver|onPointerUp|onPopState|onProgress|onPropertyChange|onqt_error|onRateChange|onReadyStateChange|onReceived|onRepeat|onReset|onResize|onResizeEnd|onResizeStart|onResume|onReverse|onRowDelete|onRowEnter|onRowExit|onRowInserted|onRowsDelete|onRowsEnter|onRowsExit|onRowsInserted|onScroll|onSearch|onSeek|onSeeked|onSeeking|onSelect|onSelectionChange|onSelectStart|onStalled|onStorage|onStorageCommit|onStart|onStop|onShow|onSyncRestored|onSubmit|onSuspend|onSynchRestored|onTimeError|onTimeUpdate|onTimer|onTrackChange|onTransitionEnd|onToggle|onTouchCancel|onTouchEnd|onTouchLeave|onTouchMove|onTouchStart|onTransitionCancel|onTransitionEnd|onUnload|onURLFlip|onUserProximity|onVolumeChange|onWaiting|onWebKitAnimationEnd|onWebKitAnimationIteration|onWebKitAnimationStart|onWebKitFullScreenChange|onWebKitFullScreenError|onWebKitTransitionEnd|onWheel';
+    
+    do {
+        $count = $temp_count = 0;
+
+        $str = preg_replace(
+            '/(.*)(?:' . $xss_attributes_string . ')(?:\s*=\s*)(?:\'(?:.*?)\'|"(?:.*?)")(.*)/ius',
+            '$1-$2-$3-$4',
+            $str,
+            -1,
+            $temp_count
+        );
+        $count += $temp_count;
+
+        $str = preg_replace(
+            '/(.*)(?:' . $xss_attributes_string . ')\s*=\s*(?:[^\s>]*)(.*)/ius',
+            '$1$2',
+            $str,
+            -1,
+            $temp_count
+        );
+        $count += $temp_count;
+
+    } while ($count);

    return $str;
 }
@ -3672,10 +3698,10 @@ function is_include_path_check($path='', $is_input='')
            // 장태진 @jtjisgod <jtjisgod@gmail.com> 추가
            // 보안 목적 : rar wrapper 차단

-            if( stripos($path, 'rar:') !== false || stripos($path, 'php:') !== false || stripos($path, 'zlib:') !== false || stripos($path, 'bzip2:') !== false || stripos($path, 'zip:') !== false || stripos($path, 'data:') !== false || stripos($path, 'phar:') !== false || stripos($path, 'file:') !== false ){
+            if( stripos($path, 'rar:') !== false || stripos($path, 'php:') !== false || stripos($path, 'zlib:') !== false || stripos($path, 'bzip2:') !== false || stripos($path, 'zip:') !== false || stripos($path, 'data:') !== false || stripos($path, 'phar:') !== false || stripos($path, 'file:') !== false || stripos($path, '://') !== false ){
                return false;
            }
-            
+
            $replace_path = str_replace('\\', '/', $path);
            $slash_count = substr_count(str_replace('\\', '/', $_SERVER['SCRIPT_NAME']), '/');
            $peer_count = substr_count($replace_path, '../');
@ -3744,6 +3770,10 @@ function is_include_path_check($path='', $is_input='')
    return true;
 }

+function filter_input_include_path($path){
+    return str_replace('//', '/', $path);
+}
+
 function option_array_checked($option, $arr=array()){
    $checked = '';

--- a/lib/pbkdf2.compat.php
+++ b/lib/pbkdf2.compat.php
@ -46,7 +46,7 @@ function create_hash($password, $force_compat = false)
 {
    // Generate the salt.
    
-    if (function_exists('mcrypt_create_iv')) {
+    if (function_exists('mcrypt_create_iv') && version_compare( PHP_VERSION, '7.2' , '<' ) ) {
        $salt = base64_encode(mcrypt_create_iv(PBKDF2_COMPAT_SALT_BYTES, MCRYPT_DEV_URANDOM));
    } elseif (@file_exists('/dev/urandom') && $fp = @fopen('/dev/urandom', 'r')) {
        $salt = base64_encode(fread($fp, PBKDF2_COMPAT_SALT_BYTES));
--- a/lib/thumbnail.lib.php
+++ b/lib/thumbnail.lib.php
@ -306,8 +306,11 @@ function thumbnail($filename, $source_path, $target_path, $thumb_width, $thumb_h
        if(!$thumb_height) {
            $thumb_height = round(($thumb_width * $size[1]) / $size[0]);
        } else {
-            if($size[0] < $thumb_width || $size[1] < $thumb_height)
+            if($crop_mode === 'center' && ($size[0] > $thumb_width || $size[1] > $thumb_height)){
+                $is_large = true;
+            } else if($size[0] < $thumb_width || $size[1] < $thumb_height) {
                $is_large = false;
+            }
        }
    } else {
        if($thumb_height) {
--- a/mobile/skin/board/basic/style.css
+++ b/mobile/skin/board/basic/style.css
@ -299,7 +299,7 @@
 .bo_vc_w_wr:after {display:block;visibility:hidden;clear:both;content:""}
 .bo_vc_w .bo_vc_secret {display:block}

-#bo_vc_send_sns {display:block;float:left}
+#bo_vc_send_sns {display:block;margin-bottom:10px}
 #bo_vc_sns {display:block;margin:0;padding:0;list-style:none;zoom:1}
 #bo_vc_sns:after {display:block;visibility:hidden;clear:both;content:""}
 #bo_vc_sns li {float:left;margin:0 5px 0 0}
--- a/mobile/skin/board/gallery/style.css
+++ b/mobile/skin/board/gallery/style.css
@ -331,7 +331,7 @@
 .bo_vc_w_wr:after {display:block;visibility:hidden;clear:both;content:""}
 .bo_vc_w .bo_vc_secret {display:block}

-#bo_vc_send_sns {display:block;float:left}
+#bo_vc_send_sns {display:block;margin-bottom:10px}
 #bo_vc_sns {display:block;margin:0;padding:0;list-style:none;zoom:1}
 #bo_vc_sns:after {display:block;visibility:hidden;clear:both;content:""}
 #bo_vc_sns li {float:left;margin:0 5px 0 0}
--- a/plugin/social/register_member_update.php
+++ b/plugin/social/register_member_update.php
@ -53,6 +53,7 @@ if( ! isset($mb_password) || ! $mb_password ){

 }

+if ($msg = valid_mb_id($mb_id))         alert($msg, "", true, true);
 if ($msg = empty_mb_name($mb_name))       alert($msg, "", true, true);
 if ($msg = empty_mb_nick($mb_nick))     alert($msg, "", true, true);
 if ($msg = empty_mb_email($mb_email))   alert($msg, "", true, true);
@ -68,6 +69,10 @@ if ($msg = exist_mb_id($mb_id))     alert($msg);
 if ($msg = exist_mb_nick($mb_nick, $mb_id))     alert($msg, "", true, true);
 if ($msg = exist_mb_email($mb_email, $mb_id))   alert($msg, "", true, true);

+if( $mb = get_member($mb_id) ){
+    alert("이미 등록된 회원이 존재합니다.", G5_URL);
+}
+
 $data = array(
 'mb_id' =>  $mb_id,
 'mb_password'   =>  get_encrypt_string($mb_password),
--- a/skin/board/basic/view.skin.php
+++ b/skin/board/basic/view.skin.php
@ -130,7 +130,7 @@ add_stylesheet('<link rel="stylesheet" href="'.$board_skin_url.'/style.css">', 0
        ?>
        <div id="bo_v_act">
            <?php if($board['bo_use_good']) { ?><span class="bo_v_good"><i class="fa fa-thumbs-o-up" aria-hidden="true"></i><span class="sound_only">추천</span><strong><?php echo number_format($view['wr_good']) ?></strong></span><?php } ?>
-            <?php if($board['bo_use_nogood']) { ?><span class="bo_v_nogood"><i class="fa fa-thumbs-o-up" aria-hidden="true"></i><span class="sound_only">비추천</span><strong><?php echo number_format($view['wr_nogood']) ?></strong></span><?php } ?>
+            <?php if($board['bo_use_nogood']) { ?><span class="bo_v_nogood"><i class="fa fa-thumbs-o-down" aria-hidden="true"></i><span class="sound_only">비추천</span><strong><?php echo number_format($view['wr_nogood']) ?></strong></span><?php } ?>
        </div>
        <?php
            }
--- a/skin/board/gallery/view.skin.php
+++ b/skin/board/gallery/view.skin.php
@ -130,7 +130,7 @@ add_stylesheet('<link rel="stylesheet" href="'.$board_skin_url.'/style.css">', 0
        ?>
        <div id="bo_v_act">
            <?php if($board['bo_use_good']) { ?><span class="bo_v_good"><i class="fa fa-thumbs-o-up" aria-hidden="true"></i><span class="sound_only">추천</span><strong><?php echo number_format($view['wr_good']) ?></strong></span><?php } ?>
-            <?php if($board['bo_use_nogood']) { ?><span class="bo_v_nogood"><i class="fa fa-thumbs-o-up" aria-hidden="true"></i><span class="sound_only">비추천</span><strong><?php echo number_format($view['wr_nogood']) ?></strong></span><?php } ?>
+            <?php if($board['bo_use_nogood']) { ?><span class="bo_v_nogood"><i class="fa fa-thumbs-o-down" aria-hidden="true"></i><span class="sound_only">비추천</span><strong><?php echo number_format($view['wr_nogood']) ?></strong></span><?php } ?>
        </div>
        <?php
            }
--- a/theme/basic/mobile/skin/board/basic/style.css
+++ b/theme/basic/mobile/skin/board/basic/style.css
@ -299,7 +299,7 @@
 .bo_vc_w_wr:after {display:block;visibility:hidden;clear:both;content:""}
 .bo_vc_w .bo_vc_secret {display:block}

-#bo_vc_send_sns {display:block;float:left}
+#bo_vc_send_sns {display:block;margin-bottom:10px}
 #bo_vc_sns {display:block;margin:0;padding:0;list-style:none;zoom:1}
 #bo_vc_sns:after {display:block;visibility:hidden;clear:both;content:""}
 #bo_vc_sns li {float:left;margin:0 5px 0 0}
--- a/theme/basic/mobile/skin/board/gallery/style.css
+++ b/theme/basic/mobile/skin/board/gallery/style.css
@ -331,7 +331,7 @@
 .bo_vc_w_wr:after {display:block;visibility:hidden;clear:both;content:""}
 .bo_vc_w .bo_vc_secret {display:block}

-#bo_vc_send_sns {display:block;float:left}
+#bo_vc_send_sns {display:block;margin-bottom:10px}
 #bo_vc_sns {display:block;margin:0;padding:0;list-style:none;zoom:1}
 #bo_vc_sns:after {display:block;visibility:hidden;clear:both;content:""}
 #bo_vc_sns li {float:left;margin:0 5px 0 0}
--- a/theme/basic/skin/board/basic/view.skin.php
+++ b/theme/basic/skin/board/basic/view.skin.php
@ -130,7 +130,7 @@ add_stylesheet('<link rel="stylesheet" href="'.$board_skin_url.'/style.css">', 0
        ?>
        <div id="bo_v_act">
            <?php if($board['bo_use_good']) { ?><span class="bo_v_good"><i class="fa fa-thumbs-o-up" aria-hidden="true"></i><span class="sound_only">추천</span><strong><?php echo number_format($view['wr_good']) ?></strong></span><?php } ?>
-            <?php if($board['bo_use_nogood']) { ?><span class="bo_v_nogood"><i class="fa fa-thumbs-o-up" aria-hidden="true"></i><span class="sound_only">비추천</span><strong><?php echo number_format($view['wr_nogood']) ?></strong></span><?php } ?>
+            <?php if($board['bo_use_nogood']) { ?><span class="bo_v_nogood"><i class="fa fa-thumbs-o-down" aria-hidden="true"></i><span class="sound_only">비추천</span><strong><?php echo number_format($view['wr_nogood']) ?></strong></span><?php } ?>
        </div>
        <?php
            }
--- a/theme/basic/skin/board/gallery/view.skin.php
+++ b/theme/basic/skin/board/gallery/view.skin.php
@ -130,7 +130,7 @@ add_stylesheet('<link rel="stylesheet" href="'.$board_skin_url.'/style.css">', 0
        ?>
        <div id="bo_v_act">
            <?php if($board['bo_use_good']) { ?><span class="bo_v_good"><i class="fa fa-thumbs-o-up" aria-hidden="true"></i><span class="sound_only">추천</span><strong><?php echo number_format($view['wr_good']) ?></strong></span><?php } ?>
-            <?php if($board['bo_use_nogood']) { ?><span class="bo_v_nogood"><i class="fa fa-thumbs-o-up" aria-hidden="true"></i><span class="sound_only">비추천</span><strong><?php echo number_format($view['wr_nogood']) ?></strong></span><?php } ?>
+            <?php if($board['bo_use_nogood']) { ?><span class="bo_v_nogood"><i class="fa fa-thumbs-o-down" aria-hidden="true"></i><span class="sound_only">비추천</span><strong><?php echo number_format($view['wr_nogood']) ?></strong></span><?php } ?>
        </div>
        <?php
            }