From b477c2e720d51656b4bcc0d52161674712d8690a Mon Sep 17 00:00:00 2001
From: chicpro <chicpro@gmail.com>
Date: Mon, 9 Feb 2015 09:57:32 +0900
Subject: [PATCH] =?UTF-8?q?XSS=20=EC=B7=A8=EC=95=BD=EC=A0=90=20=ED=8C=A8?=
 =?UTF-8?q?=EC=B9=98=20=EB=B0=8F=205.0.30=EB=B2=84=EC=A0=84=20=EC=88=98?=
 =?UTF-8?q?=EC=A0=95=EB=82=B4=EC=97=AD=20=EC=A0=81=EC=9A=A9?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 bbs/list.php                            | 6 ++++++
 bbs/move.php                            | 2 ++
 bbs/move_update.php                     | 5 +++--
 bbs/visit_insert.inc.php                | 2 +-
 head.php                                | 2 +-
 index.php                               | 2 +-
 mobile/skin/board/basic/list.skin.php   | 4 +++-
 mobile/skin/board/gallery/list.skin.php | 4 +++-
 skin/board/basic/list.skin.php          | 4 +++-
 skin/board/gallery/list.skin.php        | 4 +++-
 tail.php                                | 2 +-
 11 files changed, 27 insertions(+), 10 deletions(-)

diff --git a/bbs/list.php b/bbs/list.php
index f964d33ed..b756bb03c 100644
--- a/bbs/list.php
+++ b/bbs/list.php
@@ -46,9 +46,15 @@ if ($sca || $stx) {
     $sql_search .= " and (wr_num between {$spt} and ({$spt} + {$config['cf_search_part']})) ";
 
     // 원글만 얻는다. (코멘트의 내용도 검색하기 위함)
+    // 라엘님 제안 코드로 대체 http://sir.co.kr/bbs/board.php?bo_table=g5_bug&wr_id=2922
+    $sql = " SELECT COUNT(DISTINCT `wr_parent`) AS `cnt` FROM {$write_table} WHERE {$sql_search} ";
+    $row = sql_fetch($sql);
+    $total_count = $row['cnt'];
+    /*
     $sql = " select distinct wr_parent from {$write_table} where {$sql_search} ";
     $result = sql_query($sql);
     $total_count = mysql_num_rows($result);
+    */
 } else {
     $sql_search = "";
 
diff --git a/bbs/move.php b/bbs/move.php
index 8756ced7b..e3a7d86f2 100644
--- a/bbs/move.php
+++ b/bbs/move.php
@@ -51,6 +51,8 @@ for ($i=0; $row=sql_fetch_array($result); $i++)
     <input type="hidden" name="sfl" value="<?php echo $sfl ?>">
     <input type="hidden" name="stx" value="<?php echo $stx ?>">
     <input type="hidden" name="spt" value="<?php echo $spt ?>">
+    <input type="hidden" name="sst" value="<?php echo $sst ?>">
+    <input type="hidden" name="sod" value="<?php echo $sod ?>">
     <input type="hidden" name="page" value="<?php echo $page ?>">
     <input type="hidden" name="act" value="<?php echo $act ?>">
     <input type="hidden" name="url" value="<?php echo $_SERVER['HTTP_REFERER'] ?>">
diff --git a/bbs/move_update.php b/bbs/move_update.php
index 41b7fd4a3..bfaf54bcf 100644
--- a/bbs/move_update.php
+++ b/bbs/move_update.php
@@ -196,13 +196,14 @@ if ($sw == 'move')
 }
 
 $msg = '해당 게시물을 선택한 게시판으로 '.$act.' 하였습니다.';
-$opener_href = './board.php?bo_table='.$bo_table.'&amp;page='.$page.'&amp;'.$qstr;
+$opener_href  = './board.php?bo_table='.$bo_table.'&amp;page='.$page.'&amp;'.$qstr;
+$opener_href1 = str_replace('&amp;', '&', $opener_href);
 
 echo <<<HEREDOC
 <meta http-equiv="content-type" content="text/html; charset=utf-8">
 <script>
 alert("$msg");
-opener.document.location.href = "$opener_href";
+opener.document.location.href = "$opener_href1";
 window.close();
 </script>
 <noscript>
diff --git a/bbs/visit_insert.inc.php b/bbs/visit_insert.inc.php
index dccd1326f..a0ba612ef 100644
--- a/bbs/visit_insert.inc.php
+++ b/bbs/visit_insert.inc.php
@@ -13,7 +13,7 @@ if (get_cookie('ck_visit_ip') != $_SERVER['REMOTE_ADDR'])
     $remote_addr = escape_trim($_SERVER['REMOTE_ADDR']);
     $referer = "";
     if (isset($_SERVER['HTTP_REFERER']))
-        $referer = escape_trim($_SERVER['HTTP_REFERER']);
+        $referer = escape_trim(clean_xss_tags($_SERVER['HTTP_REFERER']));
     $user_agent  = escape_trim($_SERVER['HTTP_USER_AGENT']);
     $sql = " insert {$g5['visit_table']} ( vi_id, vi_ip, vi_date, vi_time, vi_referer, vi_agent ) values ( '{$vi_id}', '{$remote_addr}', '".G5_TIME_YMD."', '".G5_TIME_HIS."', '{$referer}', '{$user_agent}' ) ";
 
diff --git a/head.php b/head.php
index 0a889c69e..c27416c4e 100644
--- a/head.php
+++ b/head.php
@@ -11,7 +11,7 @@ include_once(G5_LIB_PATH.'/popular.lib.php');
 
 // 상단 파일 경로 지정 : 이 코드는 가능한 삭제하지 마십시오.
 if ($config['cf_include_head'] && is_file(G5_PATH.'/'.$config['cf_include_head'])) {
-    include_once($config['cf_include_head']);
+    include_once(G5_PATH.'/'.$config['cf_include_head']);
     return; // 이 코드의 아래는 실행을 하지 않습니다.
 }
 
diff --git a/index.php b/index.php
index 8506516af..7dd4be537 100644
--- a/index.php
+++ b/index.php
@@ -4,7 +4,7 @@ include_once('./_common.php');
 
 // 초기화면 파일 경로 지정 : 이 코드는 가능한 삭제하지 마십시오.
 if ($config['cf_include_index'] && is_file(G5_PATH.'/'.$config['cf_include_index'])) {
-    include_once($config['cf_include_index']);
+    include_once(G5_PATH.'/'.$config['cf_include_index']);
     return; // 이 코드의 아래는 실행을 하지 않습니다.
 }
 
diff --git a/mobile/skin/board/basic/list.skin.php b/mobile/skin/board/basic/list.skin.php
index 2bd6a0a53..b9946b974 100644
--- a/mobile/skin/board/basic/list.skin.php
+++ b/mobile/skin/board/basic/list.skin.php
@@ -44,6 +44,8 @@ add_stylesheet('<link rel="stylesheet" href="'.$board_skin_url.'/style.css">', 0
     <input type="hidden" name="sfl" value="<?php echo $sfl ?>">
     <input type="hidden" name="stx" value="<?php echo $stx ?>">
     <input type="hidden" name="spt" value="<?php echo $spt ?>">
+    <input type="hidden" name="sst" value="<?php echo $sst ?>">
+    <input type="hidden" name="sod" value="<?php echo $sod ?>">
     <input type="hidden" name="page" value="<?php echo $page ?>">
     <input type="hidden" name="sw" value="">
 
@@ -151,7 +153,7 @@ add_stylesheet('<link rel="stylesheet" href="'.$board_skin_url.'/style.css">', 0
         <option value="wr_name,1"<?php echo get_selected($sfl, 'wr_name,1'); ?>>글쓴이</option>
         <option value="wr_name,0"<?php echo get_selected($sfl, 'wr_name,0'); ?>>글쓴이(코)</option>
     </select>
-    <input name="stx" value="<?php echo stripslashes($stx) ?>" placeholder="검색어(필수)" required id="stx" class="required frm_input" size="15" maxlength="15">
+    <input name="stx" value="<?php echo stripslashes($stx) ?>" placeholder="검색어(필수)" required id="stx" class="required frm_input" size="15" maxlength="20">
     <input type="submit" value="검색" class="btn_submit">
     </form>
 </fieldset>
diff --git a/mobile/skin/board/gallery/list.skin.php b/mobile/skin/board/gallery/list.skin.php
index c429e7614..2131fc080 100644
--- a/mobile/skin/board/gallery/list.skin.php
+++ b/mobile/skin/board/gallery/list.skin.php
@@ -42,6 +42,8 @@ add_stylesheet('<link rel="stylesheet" href="'.$board_skin_url.'/style.css">', 0
     <input type="hidden" name="sfl" value="<?php echo $sfl ?>">
     <input type="hidden" name="stx" value="<?php echo $stx ?>">
     <input type="hidden" name="spt" value="<?php echo $spt ?>">
+    <input type="hidden" name="sst" value="<?php echo $sst ?>">
+    <input type="hidden" name="sod" value="<?php echo $sod ?>">
     <input type="hidden" name="page" value="<?php echo $page ?>">
     <input type="hidden" name="sw" value="">
 
@@ -178,7 +180,7 @@ $(window).on("load", function() {
         <option value="wr_name,1"<?php echo get_selected($sfl, "wr_name,1"); ?>>글쓴이</option>
         <option value="wr_name,0"<?php echo get_selected($sfl, "wr_name,0"); ?>>글쓴이(코)</option>
     </select>
-    <input name="stx" value="<?php echo stripslashes($stx) ?>" placeholder="검색어(필수)" required id="stx" class="required" size="15" maxlength="15">
+    <input name="stx" value="<?php echo stripslashes($stx) ?>" placeholder="검색어(필수)" required id="stx" class="required" size="15" maxlength="20">
     <input type="submit" value="검색">
     </form>
 </fieldset>
diff --git a/skin/board/basic/list.skin.php b/skin/board/basic/list.skin.php
index a8b915359..d995a8555 100644
--- a/skin/board/basic/list.skin.php
+++ b/skin/board/basic/list.skin.php
@@ -51,6 +51,8 @@ add_stylesheet('<link rel="stylesheet" href="'.$board_skin_url.'/style.css">', 0
     <input type="hidden" name="stx" value="<?php echo $stx ?>">
     <input type="hidden" name="spt" value="<?php echo $spt ?>">
     <input type="hidden" name="sca" value="<?php echo $sca ?>">
+    <input type="hidden" name="sst" value="<?php echo $sst ?>">
+    <input type="hidden" name="sod" value="<?php echo $sod ?>">
     <input type="hidden" name="page" value="<?php echo $page ?>">
     <input type="hidden" name="sw" value="">
 
@@ -181,7 +183,7 @@ add_stylesheet('<link rel="stylesheet" href="'.$board_skin_url.'/style.css">', 0
         <option value="wr_name,0"<?php echo get_selected($sfl, 'wr_name,0'); ?>>글쓴이(코)</option>
     </select>
     <label for="stx" class="sound_only">검색어<strong class="sound_only"> 필수</strong></label>
-    <input type="text" name="stx" value="<?php echo stripslashes($stx) ?>" required id="stx" class="frm_input required" size="15" maxlength="15">
+    <input type="text" name="stx" value="<?php echo stripslashes($stx) ?>" required id="stx" class="frm_input required" size="15" maxlength="20">
     <input type="submit" value="검색" class="btn_submit">
     </form>
 </fieldset>
diff --git a/skin/board/gallery/list.skin.php b/skin/board/gallery/list.skin.php
index ff4f730bb..507fe6000 100644
--- a/skin/board/gallery/list.skin.php
+++ b/skin/board/gallery/list.skin.php
@@ -40,6 +40,8 @@ add_stylesheet('<link rel="stylesheet" href="'.$board_skin_url.'/style.css">', 0
     <input type="hidden" name="sfl" value="<?php echo $sfl ?>">
     <input type="hidden" name="stx" value="<?php echo $stx ?>">
     <input type="hidden" name="spt" value="<?php echo $spt ?>">
+    <input type="hidden" name="sst" value="<?php echo $sst ?>">
+    <input type="hidden" name="sod" value="<?php echo $sod ?>">
     <input type="hidden" name="page" value="<?php echo $page ?>">
     <input type="hidden" name="sw" value="">
 
@@ -175,7 +177,7 @@ add_stylesheet('<link rel="stylesheet" href="'.$board_skin_url.'/style.css">', 0
         <option value="wr_name,0"<?php echo get_selected($sfl, 'wr_name,0'); ?>>글쓴이(코)</option>
     </select>
     <label for="stx" class="sound_only">검색어<strong class="sound_only"> 필수</strong></label>
-    <input type="text" name="stx" value="<?php echo stripslashes($stx) ?>" required id="stx" class="frm_input required" size="15" maxlength="15">
+    <input type="text" name="stx" value="<?php echo stripslashes($stx) ?>" required id="stx" class="frm_input required" size="15" maxlength="20">
     <input type="submit" value="검색" class="btn_submit">
     </form>
 </fieldset>
diff --git a/tail.php b/tail.php
index e020a1b11..f4b57a4c9 100644
--- a/tail.php
+++ b/tail.php
@@ -3,7 +3,7 @@ if (!defined('_GNUBOARD_')) exit; // 개별 페이지 접근 불가
 
 // 하단 파일 경로 지정 : 이 코드는 가능한 삭제하지 마십시오.
 if ($config['cf_include_tail'] && is_file(G5_PATH.'/'.$config['cf_include_tail'])) {
-    include_once($config['cf_include_tail']);
+    include_once(G5_PATH.'/'.$config['cf_include_tail']);
     return; // 이 코드의 아래는 실행을 하지 않습니다.
 }