From 0f4ec77ac0f4a1eeef6f2974ba21750c02862aef Mon Sep 17 00:00:00 2001 From: thisgun Date: Thu, 28 Sep 2017 20:23:28 +0900 Subject: [PATCH 1/9] =?UTF-8?q?=EA=B7=B8=EB=88=84=EB=B3=B4=EB=93=9C=20?= =?UTF-8?q?=EB=8B=A4=EC=A4=91=20=EC=B7=A8=EC=95=BD=EC=A0=90=20(17-0295,=20?= =?UTF-8?q?334,=20355)=20=EC=88=98=EC=A0=95?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- adm/admin.lib.php | 13 +++++-- adm/board_form_update.php | 8 ++--- adm/contentformupdate.php | 16 +++++++++ adm/qa_config_update.php | 20 +++++++++-- bbs/memo.php | 2 +- lib/common.lib.php | 76 ++++++++++++++++++++++----------------- 6 files changed, 93 insertions(+), 42 deletions(-) diff --git a/adm/admin.lib.php b/adm/admin.lib.php index fbe195990..0f0b55418 100644 --- a/adm/admin.lib.php +++ b/adm/admin.lib.php @@ -382,15 +382,24 @@ function admin_referer_check($return=false) } $p = @parse_url($referer); + $host = preg_replace('/:[0-9]+$/', '', $_SERVER['HTTP_HOST']); + $msg = ''; if($host != $p['host']) { $msg = '올바른 방법으로 이용해 주십시오.'; + } - if($return) + if( $p['path'] && ! preg_match( '/\/'.preg_quote(G5_ADMIN_DIR).'\//i', $p['path'] ) ){ + $msg = '올바른 방법으로 이용해 주십시오'; + } + + if( $msg ){ + if($return) { return $msg; - else + } else { alert($msg, G5_URL); + } } } diff --git a/adm/board_form_update.php b/adm/board_form_update.php index 70c679b16..d2cb9e76e 100644 --- a/adm/board_form_update.php +++ b/adm/board_form_update.php @@ -21,7 +21,7 @@ if ($file = $_POST['bo_include_head']) { $purl = parse_url($file); $file = $purl['path']; if (!preg_match("/\.(php|htm['l']?)$/i", $file)) { - alert('상단 파일 경로가 php, html 파일이 아닙니다.'); + alert('상단 파일 경로의 확장자는 php, html 만 허용합니다.'); } $_POST['bo_include_head'] = $file; } @@ -30,16 +30,16 @@ if ($file = $_POST['bo_include_tail']) { $purl = parse_url($file); $file = $purl['path']; if (!preg_match("/\.(php|htm['l']?)$/i", $file)) { - alert('하단 파일 경로가 php, html 파일이 아닙니다.'); + alert('하단 파일 경로의 확장자는 php, html 만 허용합니다.'); } $_POST['bo_include_tail'] = $file; } -if(!is_include_path_check($_POST['bo_include_head'])) { +if(!is_include_path_check($_POST['bo_include_head'], 1)) { alert('/data/file/ 또는 /data/editor/ 포함된 문자를 상단 파일 경로에 포함시킬수 없습니다.'); } -if(!is_include_path_check($_POST['bo_include_tail'])) { +if(!is_include_path_check($_POST['bo_include_tail'], 1)) { alert('/data/file/ 또는 /data/editor/ 포함된 문자를 하단 파일 경로에 포함시킬수 없습니다.'); } diff --git a/adm/contentformupdate.php b/adm/contentformupdate.php index 53ddecc96..fa6a6048b 100644 --- a/adm/contentformupdate.php +++ b/adm/contentformupdate.php @@ -20,6 +20,22 @@ if ($co_timg_del) @unlink(G5_DATA_PATH."/content/{$co_id}_t"); $error_msg = ''; +if( $co_include_head ){ + $purl = parse_url($co_include_head); + $file = $purl['path']; + if (!preg_match("/\.(php|htm['l']?)$/i", $file)) { + alert('상단 파일 경로의 확장자는 php, html 만 허용합니다.'); + } +} + +if( $co_include_tail ){ + $purl = parse_url($co_include_tail); + $file = $purl['path']; + if (!preg_match("/\.(php|htm['l']?)$/i", $file)) { + alert('하단 파일 경로의 확장자는 php, html 만 허용합니다.'); + } +} + if( $co_include_head && ! is_include_path_check($co_include_head) ){ $co_include_head = ''; $error_msg = '/data/file/ 또는 /data/editor/ 포함된 문자를 상단 파일 경로에 포함시킬수 없습니다.'; diff --git a/adm/qa_config_update.php b/adm/qa_config_update.php index 6ebcbed85..47adc9b88 100644 --- a/adm/qa_config_update.php +++ b/adm/qa_config_update.php @@ -10,12 +10,28 @@ check_admin_token(); $error_msg = ''; -if( $qa_include_head && ! is_include_path_check($qa_include_head) ){ +if( $qa_include_head ){ + $purl = parse_url($qa_include_head); + $file = $purl['path']; + if (!preg_match("/\.(php|htm['l']?)$/i", $file)) { + alert('상단 파일 경로의 확장자는 php, html 만 허용합니다.'); + } +} + +if( $qa_include_tail ){ + $purl = parse_url($qa_include_tail); + $file = $purl['path']; + if (!preg_match("/\.(php|htm['l']?)$/i", $file)) { + alert('하단 파일 경로의 확장자는 php, html 만 허용합니다.'); + } +} + +if( $qa_include_head && ! is_include_path_check($qa_include_head, 1) ){ $qa_include_head = ''; $error_msg = '/data/file/ 또는 /data/editor/ 포함된 문자를 상단 파일 경로에 포함시킬수 없습니다.'; } -if( $qa_include_tail && ! is_include_path_check($qa_include_tail) ){ +if( $qa_include_tail && ! is_include_path_check($qa_include_tail, 1) ){ $qa_include_tail = ''; $error_msg = '/data/file/ 또는 /data/editor/ 포함된 문자를 하단 파일 경로에 포함시킬수 없습니다.'; } diff --git a/bbs/memo.php b/bbs/memo.php index 4d9c0129a..a6af0663c 100644 --- a/bbs/memo.php +++ b/bbs/memo.php @@ -7,7 +7,7 @@ if ($is_guest) $g5['title'] = '내 쪽지함'; include_once(G5_PATH.'/head.sub.php'); -if (!$kind) $kind = 'recv'; +$kind = $kind ? clean_xss_tags(strip_tags($kind)) : 'recv'; if ($kind == 'recv') $unkind = 'send'; diff --git a/lib/common.lib.php b/lib/common.lib.php index 4f86541d3..5c25f8233 100644 --- a/lib/common.lib.php +++ b/lib/common.lib.php @@ -153,7 +153,7 @@ function alert($msg='', $url='', $error=true, $post=false) global $g5, $config, $member; global $is_admin; - if (!$msg) $msg = '올바른 방법으로 이용해 주십시오.'; + $msg = $msg ? strip_tags($msg, '
') : '올바른 방법으로 이용해 주십시오.'; $header = ''; if (isset($g5['title'])) { @@ -168,6 +168,8 @@ function alert($msg='', $url='', $error=true, $post=false) function alert_close($msg, $error=true) { global $g5; + + $msg = strip_tags($msg, '
'); $header = ''; if (isset($g5['title'])) { @@ -3302,46 +3304,54 @@ function get_call_func_cache($func, $args=array()){ } // include 하는 경로에 data file 경로가 포함되어 있는지 체크합니다. -function is_include_path_check($path='') +function is_include_path_check($path='', $is_input='') { if( $path ){ - try { - // whether $path is unix or not - $unipath = strlen($path)==0 || $path{0}!='/'; - $unc = substr($path,0,2)=='\\\\'?true:false; - // attempts to detect if path is relative in which case, add cwd - if(strpos($path,':') === false && $unipath && !$unc){ - $path=getcwd().DIRECTORY_SEPARATOR.$path; - if($path{0}=='/'){ - $unipath = false; + if ($is_input){ + try { + // whether $path is unix or not + $unipath = strlen($path)==0 || $path{0}!='/'; + $unc = substr($path,0,2)=='\\\\'?true:false; + // attempts to detect if path is relative in which case, add cwd + if(strpos($path,':') === false && $unipath && !$unc){ + $path=getcwd().DIRECTORY_SEPARATOR.$path; + if($path{0}=='/'){ + $unipath = false; + } } + + // resolve path parts (single dot, double dot and double delimiters) + $path = str_replace(array('/', '\\'), DIRECTORY_SEPARATOR, $path); + $parts = array_filter(explode(DIRECTORY_SEPARATOR, $path), 'strlen'); + $absolutes = array(); + foreach ($parts as $part) { + if ('.' == $part){ + continue; + } + if ('..' == $part) { + array_pop($absolutes); + } else { + $absolutes[] = $part; + } + } + $path = implode(DIRECTORY_SEPARATOR, $absolutes); + // resolve any symlinks + // put initial separator that could have been lost + $path = !$unipath ? '/'.$path : $path; + $path = $unc ? '\\\\'.$path : $path; + } catch (Exception $e) { + //echo 'Caught exception: ', $e->getMessage(), "\n"; + return false; } - // resolve path parts (single dot, double dot and double delimiters) - $path = str_replace(array('/', '\\'), DIRECTORY_SEPARATOR, $path); - $parts = array_filter(explode(DIRECTORY_SEPARATOR, $path), 'strlen'); - $absolutes = array(); - foreach ($parts as $part) { - if ('.' == $part){ - continue; - } - if ('..' == $part) { - array_pop($absolutes); - } else { - $absolutes[] = $part; - } + if( preg_match('/\/data\/(file|editor)\/[A-Za-z0-9_]{1,20}\//', $path) ){ + return false; } - $path = implode(DIRECTORY_SEPARATOR, $absolutes); - // resolve any symlinks - // put initial separator that could have been lost - $path = !$unipath ? '/'.$path : $path; - $path = $unc ? '\\\\'.$path : $path; - } catch (Exception $e) { - //echo 'Caught exception: ', $e->getMessage(), "\n"; - return false; } - if( preg_match('/\/data\/(file|editor)\/[A-Za-z0-9_]{1,20}\//', $path) ){ + $extension = pathinfo($path, PATHINFO_EXTENSION); + + if($extension && preg_match('/(jpg|jpeg|png|gif|bmp|conf)$/', $extension)) { return false; } } From 38f1e838a59369d8ac5b068a370960db52e20fff Mon Sep 17 00:00:00 2001 From: thisgun Date: Fri, 29 Sep 2017 10:36:32 +0900 Subject: [PATCH 2/9] =?UTF-8?q?=EA=B7=B8=EB=88=84=EB=B3=B4=EB=93=9C,=20?= =?UTF-8?q?=EC=98=81=EC=B9=B4=ED=8A=B8=20=EA=B4=80=EB=A6=AC=EC=9E=90?= =?UTF-8?q?=ED=8E=98=EC=9D=B4=EC=A7=80=20=ED=8C=8C=EC=9D=BC=20=EC=82=AD?= =?UTF-8?q?=EC=A0=9C=20=EC=B7=A8=EC=95=BD=EC=A0=90=20(17-664)=20=EC=88=98?= =?UTF-8?q?=EC=A0=95?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- adm/board_list_update.php | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/adm/board_list_update.php b/adm/board_list_update.php index 20bba640a..a26e521d6 100644 --- a/adm/board_list_update.php +++ b/adm/board_list_update.php @@ -62,7 +62,10 @@ if ($_POST['act_button'] == "선택수정") { // include 전에 $bo_table 값을 반드시 넘겨야 함 $tmp_bo_table = trim($_POST['board_table'][$k]); - include ('./board_delete.inc.php'); + + if( preg_match("/^[A-Za-z0-9_]+$/", $tmp_bo_table) ){ + include ('./board_delete.inc.php'); + } } From 3beaf71e163c87b82d5e7ff3153610515b896d60 Mon Sep 17 00:00:00 2001 From: thisgun Date: Fri, 29 Sep 2017 12:19:50 +0900 Subject: [PATCH 3/9] =?UTF-8?q?=EB=8F=99=EC=9D=BC=ED=95=9C=20=EA=B2=8C?= =?UTF-8?q?=EC=8B=9C=ED=8C=90=EC=9C=BC=EB=A1=9C=20=EA=B8=80=20=EB=B3=B5?= =?UTF-8?q?=EC=82=AC=EC=8B=9C=20=ED=8C=8C=EC=9D=BC=20=EB=B3=B5=EC=82=AC=20?= =?UTF-8?q?=EC=B2=98=EB=A6=AC=20=EC=88=98=EC=A0=95=20(=20=EC=A0=9C?= =?UTF-8?q?=EC=9D=B4=ED=94=84=EB=A1=9C=20=EB=8B=98=20=EC=A0=9C=EC=95=88=20?= =?UTF-8?q?)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- bbs/move_update.php | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/bbs/move_update.php b/bbs/move_update.php index ac6c0582e..78abbd8cd 100644 --- a/bbs/move_update.php +++ b/bbs/move_update.php @@ -115,7 +115,9 @@ while ($row = sql_fetch_array($result)) if ($row3['bf_file']) { // 원본파일을 복사하고 퍼미션을 변경 - @copy($src_dir.'/'.$row3['bf_file'], $dst_dir.'/'.$row3['bf_file']); + // 제이프로님 코드제안 적용 + $copy_file_name = ($bo_table !== $move_bo_table) ? $row3['bf_file'] : $row2['wr_id'].'_copy_'.$insert_id.'_'.$row3['bf_file']; + @copy($src_dir.'/'.$row3['bf_file'], $dst_dir.'/'.$copy_file_name); @chmod($dst_dir/$row3['bf_file'], G5_FILE_PERMISSION); } @@ -124,7 +126,7 @@ while ($row = sql_fetch_array($result)) wr_id = '$insert_id', bf_no = '{$row3['bf_no']}', bf_source = '".addslashes($row3['bf_source'])."', - bf_file = '{$row3['bf_file']}', + bf_file = '$copy_file_name', bf_download = '{$row3['bf_download']}', bf_content = '".addslashes($row3['bf_content'])."', bf_filesize = '{$row3['bf_filesize']}', From 8ed85a5fb4e5756d431354ee0db3045c12a222d4 Mon Sep 17 00:00:00 2001 From: thisgun Date: Tue, 10 Oct 2017 11:25:04 +0900 Subject: [PATCH 4/9] =?UTF-8?q?=EA=B2=8C=EC=8B=9C=ED=8C=90=20=EA=B8=80=20?= =?UTF-8?q?=EC=93=B0=EA=B8=B0=20=ED=86=A0=ED=81=B0=20=EC=A0=81=EC=9A=A9=20?= =?UTF-8?q?=20=EC=9D=B4=EB=AF=B8=EC=A7=80=20=EB=B2=84=ED=8A=BC=20=EC=B6=94?= =?UTF-8?q?=EA=B0=80?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- js/common.js | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/js/common.js b/js/common.js index 83f42221d..49c9c56fd 100644 --- a/js/common.js +++ b/js/common.js @@ -721,8 +721,13 @@ function get_write_token(bo_table) } $(function() { - $(document).on("click", "form[name=fwrite] input:submit, form[name=fwrite] button:submit", function() { + $(document).on("click", "form[name=fwrite] input:submit, form[name=fwrite] button:submit, form[name=fwrite] input:image", function() { var f = this.form; + + if (typeof(f.bo_table) == "undefined") { + return; + } + var bo_table = f.bo_table.value; var token = get_write_token(bo_table); From ebad7240cc09f77ec2d68592c657fec02f7b7dbf Mon Sep 17 00:00:00 2001 From: thisgun Date: Tue, 10 Oct 2017 11:26:11 +0900 Subject: [PATCH 5/9] =?UTF-8?q?=EA=B7=B8=EB=88=84=EB=B3=B4=EB=93=9C=20RCE?= =?UTF-8?q?=20=EC=B7=A8=EC=95=BD=EC=A0=90=20=EC=88=98=EC=A0=95=20adm1nkyj(?= =?UTF-8?q?=EA=B9=80=EC=9A=A9=EC=A7=84,=20http://adm1nkyj.kr)=20=EB=8B=98?= =?UTF-8?q?=20=EC=A0=9C=EB=B3=B4?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- g4_import.php | 5 +++++ g4_import_run.php | 9 ++++++++- 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/g4_import.php b/g4_import.php index 85e763858..3e4f67ac2 100644 --- a/g4_import.php +++ b/g4_import.php @@ -125,6 +125,7 @@ if($is_admin != 'super')

프로그램을 실행하시려면 그누보드4의 config.php 파일 경로를 입력하신 후 확인을 클릭해 주십시오.

+
@@ -142,6 +143,10 @@ if($is_admin != 'super') diff --git a/g4_import_run.php b/g4_import_run.php index 28c949931..f34569b93 100644 --- a/g4_import_run.php +++ b/g4_import_run.php @@ -17,6 +17,13 @@ echo ''; if(empty($_POST)) alert('올바른 방법으로 이용해 주십시오.', G5_URL); +if (!preg_match("/^http['s']?:\/\/".$_SERVER['HTTP_HOST']."/", $_SERVER['HTTP_REFERER'])){ + alert("제대로 된 접근이 아닌것 같습니다.", G5_URL); +} + +// 토큰체크 +check_write_token('g4_import'); + if(get_session('tables_copied') == 'done') alert('DB 데이터 변환을 이미 실행하였습니다. 중복 실행시 오류가 발생할 수 있습니다.', G5_URL); @@ -165,7 +172,7 @@ document.onkeydown = noRefresh ; flush(); // g4의 confing.php - require($g4_config_file); + require('./'.$g4_config_file); if(preg_replace('/[^a-z]/', '', strtolower($g4['charset'])) == 'euckr') $is_euckr = true; From c111b2beaf38c51947237524f6ff3654a4049afe Mon Sep 17 00:00:00 2001 From: thisgun Date: Tue, 10 Oct 2017 11:36:55 +0900 Subject: [PATCH 6/9] =?UTF-8?q?=EC=83=88=EA=B8=80=20=EC=84=A0=ED=83=9D?= =?UTF-8?q?=EB=82=B4=EC=9A=A9=EC=82=AD=EC=A0=9C=20=EA=B3=BC=EC=A0=95?= =?UTF-8?q?=EC=A4=91=20=20=EC=9E=98=EB=AA=BB=EB=90=9C=20=EB=B3=80=EC=88=98?= =?UTF-8?q?=EB=AA=85=20=EC=88=98=EC=A0=95?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- bbs/new_delete.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bbs/new_delete.php b/bbs/new_delete.php index e3df24ce8..45341a244 100644 --- a/bbs/new_delete.php +++ b/bbs/new_delete.php @@ -69,7 +69,7 @@ for($i=0;$i Date: Tue, 10 Oct 2017 11:39:32 +0900 Subject: [PATCH 7/9] =?UTF-8?q?=EA=B2=80=EC=83=89=EC=88=9C=EC=9C=84=20?= =?UTF-8?q?=EA=B4=80=EB=A6=AC=EC=9E=90=20=ED=8E=98=EC=9D=B4=EC=A7=80=20?= =?UTF-8?q?=EC=9E=98=EB=AA=BB=EB=90=9C=20=EC=86=8C=EC=8A=A4=20=EC=88=98?= =?UTF-8?q?=EC=A0=95?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- adm/popular_rank.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/adm/popular_rank.php b/adm/popular_rank.php index fbbea0e75..bce502786 100644 --- a/adm/popular_rank.php +++ b/adm/popular_rank.php @@ -7,7 +7,7 @@ auth_check($auth[$sub_menu], 'r'); if (empty($fr_date) || ! preg_match("/^[0-9]{4}-(0[1-9]|1[0-2])-(0[1-9]|[1-2][0-9]|3[0-1])$/", $fr_date) ) $fr_date = G5_TIME_YMD; if (empty($to_date) || ! preg_match("/^[0-9]{4}-(0[1-9]|1[0-2])-(0[1-9]|[1-2][0-9]|3[0-1])$/", $to_date) ) $to_date = G5_TIME_YMD; -$qstr = "fr_date={$fr_date}{&to_date}={$to_date}"; +$qstr = "fr_date={$fr_date}&to_date={$to_date}"; $sql_common = " from {$g5['popular_table']} a "; $sql_search = " where trim(pp_word) <> '' and pp_date between '{$fr_date}' and '{$to_date}' "; From 988223464561f1a639393050cfe0546d7276e172 Mon Sep 17 00:00:00 2001 From: thisgun Date: Tue, 10 Oct 2017 11:44:38 +0900 Subject: [PATCH 8/9] =?UTF-8?q?=EA=B4=80=EB=A6=AC=EC=9E=90=20=ED=95=98?= =?UTF-8?q?=EB=8B=A8=EC=97=90=20=EB=B2=84=EC=A0=84=EC=A0=95=EB=B3=B4=20?= =?UTF-8?q?=ED=91=9C=EC=8B=9C=20=EA=B5=AC=EB=AC=B8=20=EC=88=98=EC=A0=95?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- adm/admin.tail.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/adm/admin.tail.php b/adm/admin.tail.php index d7a359226..ba913ff9f 100644 --- a/adm/admin.tail.php +++ b/adm/admin.tail.php @@ -1,7 +1,7 @@