From 596ad4baa603b297b13b682bcfb70a33346efa37 Mon Sep 17 00:00:00 2001 From: thisgun Date: Wed, 19 Feb 2020 10:38:24 +0900 Subject: [PATCH 1/7] =?UTF-8?q?5.4=EB=B2=84=EC=A0=84=20=EA=B4=80=EB=A6=AC?= =?UTF-8?q?=EC=9E=90=20=EC=97=90=EC=84=9C=20=EA=B2=8C=EC=8B=9C=ED=8C=90=20?= =?UTF-8?q?=EB=B3=B5=EC=82=AC=EC=8B=9C=20G5=5FDB=5FENGINE=20=EC=84=A4?= =?UTF-8?q?=EC=A0=95=20=EC=98=A4=EB=A5=98=20=EC=88=98=EC=A0=95?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- lib/common.lib.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/common.lib.php b/lib/common.lib.php index 432514a24..8424f5f8b 100644 --- a/lib/common.lib.php +++ b/lib/common.lib.php @@ -1801,7 +1801,7 @@ function get_table_define($table, $crlf="\n") $schema_create .= $crlf . ') ENGINE=MyISAM DEFAULT CHARSET=utf8'; - return $schema_create; + return get_db_create_replace($schema_create); } // end of the 'PMA_getTableDef()' function From e72b71ce127aa4fd68a4616692ec20dcd08d49d1 Mon Sep 17 00:00:00 2001 From: thisgun Date: Wed, 19 Feb 2020 17:14:00 +0900 Subject: [PATCH 2/7] =?UTF-8?q?5.4=EB=B2=84=EC=A0=84=20SNS=20=EB=8F=99?= =?UTF-8?q?=EC=8B=9C=EB=93=B1=EB=A1=9D=20=EA=B3=BC=20=EB=B9=84=EB=B0=80?= =?UTF-8?q?=EA=B8=80=20=ED=83=9C=EA=B7=B8=20=EC=9C=84=EC=B9=98=EA=B0=80=20?= =?UTF-8?q?=EA=B2=B9=EC=B9=98=EB=8A=94=20=EC=8A=A4=ED=82=A8=20=EC=BD=94?= =?UTF-8?q?=EB=93=9C=20=EC=98=A4=EB=A5=98=20=EC=88=98=EC=A0=95?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- mobile/skin/board/basic/style.css | 2 +- mobile/skin/board/gallery/style.css | 2 +- skin/board/basic/view.skin.php | 2 +- skin/board/gallery/view.skin.php | 2 +- theme/basic/mobile/skin/board/basic/style.css | 2 +- theme/basic/mobile/skin/board/gallery/style.css | 2 +- theme/basic/skin/board/basic/view.skin.php | 2 +- theme/basic/skin/board/gallery/view.skin.php | 2 +- 8 files changed, 8 insertions(+), 8 deletions(-) diff --git a/mobile/skin/board/basic/style.css b/mobile/skin/board/basic/style.css index b7c86e050..ac9fb3c70 100644 --- a/mobile/skin/board/basic/style.css +++ b/mobile/skin/board/basic/style.css @@ -299,7 +299,7 @@ .bo_vc_w_wr:after {display:block;visibility:hidden;clear:both;content:""} .bo_vc_w .bo_vc_secret {display:block} -#bo_vc_send_sns {display:block;float:left} +#bo_vc_send_sns {display:block;margin-bottom:10px} #bo_vc_sns {display:block;margin:0;padding:0;list-style:none;zoom:1} #bo_vc_sns:after {display:block;visibility:hidden;clear:both;content:""} #bo_vc_sns li {float:left;margin:0 5px 0 0} diff --git a/mobile/skin/board/gallery/style.css b/mobile/skin/board/gallery/style.css index 8995847d7..448b2f57d 100644 --- a/mobile/skin/board/gallery/style.css +++ b/mobile/skin/board/gallery/style.css @@ -331,7 +331,7 @@ .bo_vc_w_wr:after {display:block;visibility:hidden;clear:both;content:""} .bo_vc_w .bo_vc_secret {display:block} -#bo_vc_send_sns {display:block;float:left} +#bo_vc_send_sns {display:block;margin-bottom:10px} #bo_vc_sns {display:block;margin:0;padding:0;list-style:none;zoom:1} #bo_vc_sns:after {display:block;visibility:hidden;clear:both;content:""} #bo_vc_sns li {float:left;margin:0 5px 0 0} diff --git a/skin/board/basic/view.skin.php b/skin/board/basic/view.skin.php index 59150b619..769bdc524 100644 --- a/skin/board/basic/view.skin.php +++ b/skin/board/basic/view.skin.php @@ -130,7 +130,7 @@ add_stylesheet('', 0 ?>
추천 - 비추천 + 비추천
', 0 ?>
추천 - 비추천 + 비추천
', 0 ?>
추천 - 비추천 + 비추천
', 0 ?>
추천 - 비추천 + 비추천
Date: Mon, 24 Feb 2020 17:13:26 +0900 Subject: [PATCH 3/7] =?UTF-8?q?=EC=8D=B8=EB=84=A4=EC=9D=BC=20center=5Fmode?= =?UTF-8?q?=20=EC=8B=9C=20=EC=8D=B8=EB=84=A4=EC=9D=BC=20height=EA=B0=80=20?= =?UTF-8?q?=EC=9B=90=EB=B3=B8=EC=9D=B4=EB=AF=B8=EC=A7=80=EA=B0=80=20?= =?UTF-8?q?=EC=9E=91=EC=9D=84=EB=95=8C=EB=8F=84=20=EB=8F=99=EC=9E=91?= =?UTF-8?q?=EB=90=98=EA=B2=8C=20=EC=88=98=EC=A0=95?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- lib/thumbnail.lib.php | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/lib/thumbnail.lib.php b/lib/thumbnail.lib.php index 35260e2d2..47e296801 100644 --- a/lib/thumbnail.lib.php +++ b/lib/thumbnail.lib.php @@ -306,8 +306,11 @@ function thumbnail($filename, $source_path, $target_path, $thumb_width, $thumb_h if(!$thumb_height) { $thumb_height = round(($thumb_width * $size[1]) / $size[0]); } else { - if($size[0] < $thumb_width || $size[1] < $thumb_height) + if($crop_mode === 'center' && ($size[0] > $thumb_width || $size[1] > $thumb_height)){ + $is_large = true; + } else if($size[0] < $thumb_width || $size[1] < $thumb_height) { $is_large = false; + } } } else { if($thumb_height) { From 8ba373a9513b418bac8d336668eb32fd1b490c5d Mon Sep 17 00:00:00 2001 From: thisgun Date: Mon, 2 Mar 2020 19:52:30 +0900 Subject: [PATCH 4/7] =?UTF-8?q?=ED=9A=8C=EC=9B=90=EC=A0=95=EB=B3=B4=20?= =?UTF-8?q?=EC=88=98=EC=A0=95=EC=8B=9C=20=EC=B2=B4=ED=81=AC=EA=B3=BC?= =?UTF-8?q?=EC=A0=95=20=EB=B3=80=EA=B2=BD?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- bbs/register_form.php | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/bbs/register_form.php b/bbs/register_form.php index 2d38f0d1b..d72804dd2 100644 --- a/bbs/register_form.php +++ b/bbs/register_form.php @@ -12,10 +12,13 @@ set_session("ss_cert_no", ""); set_session("ss_cert_hash", ""); set_session("ss_cert_type", ""); +$is_social_login_modify = false; + if( $provider && function_exists('social_nonce_is_valid') ){ //모바일로 소셜 연결을 했다면 if( social_nonce_is_valid(get_session("social_link_token"), $provider) ){ //토큰값이 유효한지 체크 $w = 'u'; //회원 수정으로 처리 $_POST['mb_id'] = $member['mb_id']; + $is_social_login_modify = true; } } @@ -75,8 +78,14 @@ if ($w == "") { // 수정 후 다시 이 폼으로 돌아오기 위해 임시로 저장해 놓음 set_session("ss_tmp_password", $_POST[mb_password]); */ + + if($_POST['mb_id'] && ! (isset($_POST['mb_password']) && $_POST['mb_password'])){ + if( ! $is_social_login_modify ){ + alert('비밀번호를 입력해 주세요.'); + } + } - if ($_POST['mb_password']) { + if (isset($_POST['mb_password'])) { // 수정된 정보를 업데이트후 되돌아 온것이라면 비밀번호가 암호화 된채로 넘어온것임 if ($_POST['is_update']) { $tmp_password = $_POST['mb_password']; From 31705f32c923d4335d98ba5d5f5d50f3296590e3 Mon Sep 17 00:00:00 2001 From: thisgun Date: Mon, 2 Mar 2020 20:02:45 +0900 Subject: [PATCH 5/7] =?UTF-8?q?[KVE-2020-0104,105,106]=EA=B7=B8=EB=88=84?= =?UTF-8?q?=EB=B3=B4=EB=93=9CXSS=EC=B7=A8=EC=95=BD=EC=A0=90=20=EC=88=98?= =?UTF-8?q?=EC=A0=95?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- lib/common.lib.php | 25 ++++++++++++++++++++++++- 1 file changed, 24 insertions(+), 1 deletion(-) diff --git a/lib/common.lib.php b/lib/common.lib.php index 8424f5f8b..4b51dc930 100644 --- a/lib/common.lib.php +++ b/lib/common.lib.php @@ -3035,7 +3035,30 @@ function clean_xss_tags($str, $check_entities=0) // XSS 어트리뷰트 태그 제거 function clean_xss_attributes($str) { - $str = preg_replace('#(onabort|onactivate|onafterprint|onafterupdate|onbeforeactivate|onbeforecopy|onbeforecut|onbeforedeactivate|onbeforeeditfocus|onbeforepaste|onbeforeprint|onbeforeunload|onbeforeupdate|onblur|onbounce|oncellchange|onchange|onclick|oncontextmenu|oncontrolselect|oncopy|oncut|ondataavaible|ondatasetchanged|ondatasetcomplete|ondblclick|ondeactivate|ondrag|ondragdrop|ondragend|ondragenter|ondragleave|ondragover|ondragstart|ondrop|onerror|onerrorupdate|onfilterupdate|onfinish|onfocus|onfocusin|onfocusout|onhelp|onkeydown|onkeypress|onkeyup|onlayoutcomplete|onload|onlosecapture|onmousedown|onmouseenter|onmouseleave|onmousemove|onmoveout|onmouseover|onmouseup|onmousewheel|onmove|onmoveend|onmovestart|onpaste|onpropertychange|onreadystatechange|onreset|onresize|onresizeend|onresizestart|onrowexit|onrowsdelete|onrowsinserted|onscroll|onselect|onselectionchange|onselectstart|onstart|onstop|onsubmit|onunload)\\s*=\\s*\\\?".*?"#is', '', $str); + $xss_attributes_string = 'onAbort|onActivate|onAttribute|onAfterPrint|onAfterScriptExecute|onAfterUpdate|onAnimationCancel|onAnimationEnd|onAnimationIteration|onAnimationStart|onAriaRequest|onAutoComplete|onAutoCompleteError|onAuxClick|onBeforeActivate|onBeforeCopy|onBeforeCut|onBeforeDeactivate|onBeforeEditFocus|onBeforePaste|onBeforePrint|onBeforeScriptExecute|onBeforeUnload|onBeforeUpdate|onBegin|onBlur|onBounce|onCancel|onCanPlay|onCanPlayThrough|onCellChange|onChange|onClick|onClose|onCommand|onCompassNeedsCalibration|onContextMenu|onControlSelect|onCopy|onCueChange|onCut|onDataAvailable|onDataSetChanged|onDataSetComplete|onDblClick|onDeactivate|onDeviceLight|onDeviceMotion|onDeviceOrientation|onDeviceProximity|onDrag|onDragDrop|onDragEnd|onDragEnter|onDragLeave|onDragOver|onDragStart|onDrop|onDurationChange|onEmptied|onEnd|onEnded|onError|onErrorUpdate|onExit|onFilterChange|onFinish|onFocus|onFocusIn|onFocusOut|onFormChange|onFormInput|onFullScreenChange|onFullScreenError|onGotPointerCapture|onHashChange|onHelp|onInput|onInvalid|onKeyDown|onKeyPress|onKeyUp|onLanguageChange|onLayoutComplete|onLoad|onLoadedData|onLoadedMetaData|onLoadStart|onLoseCapture|onLostPointerCapture|onMediaComplete|onMediaError|onMessage|onMouseDown|onMouseEnter|onMouseLeave|onMouseMove|onMouseOut|onMouseOver|onMouseUp|onMouseWheel|onMove|onMoveEnd|onMoveStart|onMozFullScreenChange|onMozFullScreenError|onMozPointerLockChange|onMozPointerLockError|onMsContentZoom|onMsFullScreenChange|onMsFullScreenError|onMsGestureChange|onMsGestureDoubleTap|onMsGestureEnd|onMsGestureHold|onMsGestureStart|onMsGestureTap|onMsGotPointerCapture|onMsInertiaStart|onMsLostPointerCapture|onMsManipulationStateChanged|onMsPointerCancel|onMsPointerDown|onMsPointerEnter|onMsPointerLeave|onMsPointerMove|onMsPointerOut|onMsPointerOver|onMsPointerUp|onMsSiteModeJumpListItemRemoved|onMsThumbnailClick|onOffline|onOnline|onOutOfSync|onPage|onPageHide|onPageShow|onPaste|onPause|onPlay|onPlaying|onPointerCancel|onPointerDown|onPointerEnter|onPointerLeave|onPointerLockChange|onPointerLockError|onPointerMove|onPointerOut|onPointerOver|onPointerUp|onPopState|onProgress|onPropertyChange|onqt_error|onRateChange|onReadyStateChange|onReceived|onRepeat|onReset|onResize|onResizeEnd|onResizeStart|onResume|onReverse|onRowDelete|onRowEnter|onRowExit|onRowInserted|onRowsDelete|onRowsEnter|onRowsExit|onRowsInserted|onScroll|onSearch|onSeek|onSeeked|onSeeking|onSelect|onSelectionChange|onSelectStart|onStalled|onStorage|onStorageCommit|onStart|onStop|onShow|onSyncRestored|onSubmit|onSuspend|onSynchRestored|onTimeError|onTimeUpdate|onTimer|onTrackChange|onTransitionEnd|onToggle|onTouchCancel|onTouchEnd|onTouchLeave|onTouchMove|onTouchStart|onTransitionCancel|onTransitionEnd|onUnload|onURLFlip|onUserProximity|onVolumeChange|onWaiting|onWebKitAnimationEnd|onWebKitAnimationIteration|onWebKitAnimationStart|onWebKitFullScreenChange|onWebKitFullScreenError|onWebKitTransitionEnd|onWheel'; + + do { + $count = $temp_count = 0; + + $str = preg_replace( + '/(.*)(?:' . $xss_attributes_string . ')(?:\s*=\s*)(?:\'(?:.*?)\'|"(?:.*?)")(.*)/ius', + '$1-$2-$3-$4', + $str, + -1, + $temp_count + ); + $count += $temp_count; + + $str = preg_replace( + '/(.*)(?:' . $xss_attributes_string . ')\s*=\s*(?:[^\s>]*)(.*)/ius', + '$1$2', + $str, + -1, + $temp_count + ); + $count += $temp_count; + + } while ($count); return $str; } From 6fe20b0a132d51e8ec91dcc5abb71359ea29bb6f Mon Sep 17 00:00:00 2001 From: thisgun Date: Mon, 2 Mar 2020 20:23:38 +0900 Subject: [PATCH 6/7] =?UTF-8?q?[KVE-2020-0013]=EA=B7=B8=EB=88=84=EB=B3=B4?= =?UTF-8?q?=EB=93=9C=5FReflect=20XSS=5F=EC=88=98=EC=A0=95?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- adm/board_copy.php | 2 +- adm/board_copy_update.php | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/adm/board_copy.php b/adm/board_copy.php index 291a225ac..fb889174a 100644 --- a/adm/board_copy.php +++ b/adm/board_copy.php @@ -31,7 +31,7 @@ include_once(G5_PATH.'/head.sub.php'); - + 복사 유형 diff --git a/adm/board_copy_update.php b/adm/board_copy_update.php index 9b3bd55a9..7a44a9c48 100644 --- a/adm/board_copy_update.php +++ b/adm/board_copy_update.php @@ -11,6 +11,8 @@ check_admin_token(); $target_table = trim($_POST['target_table']); $target_subject = trim($_POST['target_subject']); +$target_subject = strip_tags(clean_xss_attributes($target_subject)); + if (!preg_match('/[A-Za-z0-9_]{1,20}/', $target_table)) { alert('게시판 TABLE명은 공백없이 영문자, 숫자, _ 만 사용 가능합니다. (20자 이내)'); } From 87bb2f1d8a440c0325ed9dec0a2db6ab86a4815d Mon Sep 17 00:00:00 2001 From: thisgun Date: Mon, 2 Mar 2020 22:08:54 +0900 Subject: [PATCH 7/7] =?UTF-8?q?[KVE-2020-0097,0113,0114,0056]=EA=B7=B8?= =?UTF-8?q?=EB=88=84=EB=B3=B4=EB=93=9C=20=EB=8B=A4=EC=A4=91=20=EC=B7=A8?= =?UTF-8?q?=EC=95=BD=EC=A0=90=20=EC=88=98=EC=A0=95?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- adm/board_form_update.php | 5 +++++ adm/contentformupdate.php | 5 +++++ adm/qa_config_update.php | 5 +++++ lib/common.lib.php | 11 +++++++++-- plugin/social/register_member_update.php | 5 +++++ 5 files changed, 29 insertions(+), 2 deletions(-) diff --git a/adm/board_form_update.php b/adm/board_form_update.php index 8ddb1840c..b0bbf6889 100644 --- a/adm/board_form_update.php +++ b/adm/board_form_update.php @@ -60,6 +60,11 @@ if(!is_include_path_check($bo_include_tail, 1)) { alert('하단 파일 경로에 포함시킬수 없는 문자열이 있습니다.'); } +if( function_exists('filter_input_include_path') ){ + $bo_include_head = filter_input_include_path($bo_include_head); + $bo_include_tail = filter_input_include_path($bo_include_tail); +} + $board_path = G5_DATA_PATH.'/file/'.$bo_table; // 게시판 디렉토리 생성 diff --git a/adm/contentformupdate.php b/adm/contentformupdate.php index 58437acda..af8c35007 100644 --- a/adm/contentformupdate.php +++ b/adm/contentformupdate.php @@ -71,6 +71,11 @@ if( $co_include_tail && ! is_include_path_check($co_include_tail, 1) ){ $error_msg = '/data/file/ 또는 /data/editor/ 포함된 문자를 하단 파일 경로에 포함시킬수 없습니다.'; } +if( function_exists('filter_input_include_path') ){ + $co_include_head = filter_input_include_path($co_include_head); + $co_include_tail = filter_input_include_path($co_include_tail); +} + $co_seo_title = exist_seo_title_recursive('content', generate_seo_title($co_subject), $g5['content_table'], $co_id); $sql_common = " co_include_head = '$co_include_head', diff --git a/adm/qa_config_update.php b/adm/qa_config_update.php index 38b3eaddd..829c78adb 100644 --- a/adm/qa_config_update.php +++ b/adm/qa_config_update.php @@ -56,6 +56,11 @@ if( $qa_include_tail && ! is_include_path_check($qa_include_tail, 1) ){ $error_msg = '/data/file/ 또는 /data/editor/ 포함된 문자를 하단 파일 경로에 포함시킬수 없습니다.'; } +if( function_exists('filter_input_include_path') ){ + $qa_include_head = filter_input_include_path($qa_include_head); + $qa_include_tail = filter_input_include_path($qa_include_tail); +} + $sql = " update {$g5['qa_config_table']} set qa_title = '{$_POST['qa_title']}', qa_category = '{$_POST['qa_category']}', diff --git a/lib/common.lib.php b/lib/common.lib.php index 4b51dc930..7fe2d53ae 100644 --- a/lib/common.lib.php +++ b/lib/common.lib.php @@ -3022,6 +3022,9 @@ function clean_xss_tags($str, $check_entities=0) if( $check_entities ){ $result = str_replace(array(':', '(', ')', ' ', ' '), '', $result); } + + $result = preg_replace('#([^\p{L}]|^)(?:javascript|jar|applescript|vbscript|vbs|wscript|jscript|behavior|mocha|livescript|view-source)\s*:(?:.*?([/\\\;()\'">]|$))#ius', + '$1$2', $result); if((string)$result === (string)$str) break; @@ -3695,10 +3698,10 @@ function is_include_path_check($path='', $is_input='') // 장태진 @jtjisgod 추가 // 보안 목적 : rar wrapper 차단 - if( stripos($path, 'rar:') !== false || stripos($path, 'php:') !== false || stripos($path, 'zlib:') !== false || stripos($path, 'bzip2:') !== false || stripos($path, 'zip:') !== false || stripos($path, 'data:') !== false || stripos($path, 'phar:') !== false || stripos($path, 'file:') !== false ){ + if( stripos($path, 'rar:') !== false || stripos($path, 'php:') !== false || stripos($path, 'zlib:') !== false || stripos($path, 'bzip2:') !== false || stripos($path, 'zip:') !== false || stripos($path, 'data:') !== false || stripos($path, 'phar:') !== false || stripos($path, 'file:') !== false || stripos($path, '://') !== false ){ return false; } - + $replace_path = str_replace('\\', '/', $path); $slash_count = substr_count(str_replace('\\', '/', $_SERVER['SCRIPT_NAME']), '/'); $peer_count = substr_count($replace_path, '../'); @@ -3767,6 +3770,10 @@ function is_include_path_check($path='', $is_input='') return true; } +function filter_input_include_path($path){ + return str_replace('//', '/', $path); +} + function option_array_checked($option, $arr=array()){ $checked = ''; diff --git a/plugin/social/register_member_update.php b/plugin/social/register_member_update.php index 748a82281..23b412fc9 100644 --- a/plugin/social/register_member_update.php +++ b/plugin/social/register_member_update.php @@ -53,6 +53,7 @@ if( ! isset($mb_password) || ! $mb_password ){ } +if ($msg = valid_mb_id($mb_id)) alert($msg, "", true, true); if ($msg = empty_mb_name($mb_name)) alert($msg, "", true, true); if ($msg = empty_mb_nick($mb_nick)) alert($msg, "", true, true); if ($msg = empty_mb_email($mb_email)) alert($msg, "", true, true); @@ -68,6 +69,10 @@ if ($msg = exist_mb_id($mb_id)) alert($msg); if ($msg = exist_mb_nick($mb_nick, $mb_id)) alert($msg, "", true, true); if ($msg = exist_mb_email($mb_email, $mb_id)) alert($msg, "", true, true); +if( $mb = get_member($mb_id) ){ + alert("이미 등록된 회원이 존재합니다.", G5_URL); +} + $data = array( 'mb_id' => $mb_id, 'mb_password' => get_encrypt_string($mb_password),