스마트에디터 2.8.2 적용 및 에디터 업로드 보안 수정

plugin/editor/smarteditor2/editor.lib.php

@@ -15,7 +15,7 @@ function editor_html($id, $content, $is_dhtml_editor=true)
 
     if ($is_dhtml_editor && $js) {
         $html .= "\n".'<script src="'.$editor_url.'/js/HuskyEZCreator.js"></script>';
-        $html .= "\n".'<script>var g5_editor_url = "'.$editor_url.'", oEditors = [];</script>';
+        $html .= "\n".'<script>var g5_editor_url = "'.$editor_url.'", oEditors = [], ed_nonce = "'.ft_nonce_create('smarteditor').'";</script>';
         $html .= "\n".'<script src="'.$editor_url.'/config.js"></script>';
         $html .= "\n<script>";
         $html .= '
@@ -38,7 +38,7 @@ function editor_html($id, $content, $is_dhtml_editor=true)
     }
 
     $smarteditor_class = $is_dhtml_editor ? "smarteditor2" : "";
-    $html .= "\n<textarea id=\"$id\" name=\"$id\" class=\"$smarteditor_class\" maxlength=\"65536\" style=\"width:100%\">$content</textarea>";
+    $html .= "\n<textarea id=\"$id\" name=\"$id\" class=\"$smarteditor_class\" maxlength=\"65536\" style=\"width:100%;height:300px\">$content</textarea>";
     $html .= "\n<span class=\"sound_only\">웹 에디터 끝</span>";
     return $html;
 }
@@ -64,4 +64,72 @@ function chk_editor_js($id, $is_dhtml_editor=true)
         return "if (!{$id}_editor.value) { alert(\"내용을 입력해 주십시오.\"); {$id}_editor.focus(); return false; }\n";
     }
 }
+
+/*
+ * Name: FT-NONCE-LIB
+ * Created By: Full Throttle Development, LLC (http://fullthrottledevelopment.com)
+ * Created On: July 2009
+ * Last Modified On: August 12, 2009
+ * Last Modified By: Glenn Ansley (glenn@fullthrottledevelopment.com)
+ * Version: 0.2
+ */
+
+/* 
+Copyright 2009 Full Throttle Development, LLC
+
+This program is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 3 of the License, or
+(at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+if (!defined('FT_NONCE_UNIQUE_KEY'))
+    define( 'FT_NONCE_UNIQUE_KEY' , sha1(G5_MYSQL_USER) );
+
+if (!defined('FT_NONCE_DURATION'))
+    define( 'FT_NONCE_DURATION' , 2160000 ); // 300 makes link or form good for 5 minutes from time of generation,  300은 5분간 유효, 2160000은 10시간동안 유효
+
+if (!defined('FT_NONCE_KEY'))
+    define( 'FT_NONCE_KEY' , '_nonce' );
+
+// This method creates a key / value pair for a url string
+if(!function_exists('ft_nonce_create_query_string')){
+    function ft_nonce_create_query_string( $action = '' , $user = '' ){
+        return FT_NONCE_KEY."=".ft_nonce_create( $action , $user );
+    }
+}
+
+// This method creates an nonce. It should be called by one of the previous two functions.
+if(!function_exists('ft_nonce_create')){
+    function ft_nonce_create( $action = '' , $user='' ){
+        return substr( ft_nonce_generate_hash( $action . $user ), -12, 10);
+    }
+}
+
+// This method validates an nonce
+if(!function_exists('ft_nonce_is_valid')){
+    function ft_nonce_is_valid( $nonce , $action = '' , $user='' ){
+        // Nonce generated 0-12 hours ago
+        if ( substr(ft_nonce_generate_hash( $action . $user ), -12, 10) == $nonce ){
+            return true;
+        }
+        return false;
+    }
+}
+
+// This method generates the nonce timestamp
+if(!function_exists('ft_nonce_generate_hash')){
+    function ft_nonce_generate_hash( $action='' , $user='' ){
+        $i = ceil( time() / ( FT_NONCE_DURATION / 2 ) );
+        return md5( $i . $action . $user . $action );
+    }
+}
 ?>