From a4c3a4b5e97f9d11a4d2bd7f3944b73a7cdc037e Mon Sep 17 00:00:00 2001
From: thisgun <thisgun@naver.com>
Date: Fri, 9 Mar 2018 10:56:30 +0900
Subject: [PATCH] =?UTF-8?q?=EA=B7=B8=EB=88=84=EB=B3=B4=EB=93=9C=20URL=20Re?=
 =?UTF-8?q?direct=20=EC=B7=A8=EC=95=BD=EC=A0=90(KVE-2017-1052)=20=EC=88=98?=
 =?UTF-8?q?=EC=A0=95?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 lib/common.lib.php | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/lib/common.lib.php b/lib/common.lib.php
index 23f0db8ff..e1a65c8cd 100644
--- a/lib/common.lib.php
+++ b/lib/common.lib.php
@@ -3016,6 +3016,22 @@ function check_url_host($url, $msg='', $return_url=G5_URL)
     $p = @parse_url($url);
     $host = preg_replace('/:[0-9]+$/', '', $_SERVER['HTTP_HOST']);
     $is_host_check = false;
+    
+    // url을 urlencode 를 2번이상하면 parse_url 에서 scheme와 host 값을 가져올수 없는 취약점이 존재함
+    if ( !isset($p['host']) && urldecode($url) != $url ){
+        $i = 0;
+        while($i <= 3){
+            $url = urldecode($url);
+            if( urldecode($url) == $url ) break;
+            $i++;
+        }
+
+        if( urldecode($url) == $url ){
+            $p = @parse_url($url);
+        } else {
+            $is_host_check = true;
+        }
+    }
 
     if(stripos($url, 'http:') !== false) {
         if(!isset($p['scheme']) || !$p['scheme'] || !isset($p['host']) || !$p['host'])