diff --git a/adm/board_form_update.php b/adm/board_form_update.php index 8b40bc8d2..912887760 100644 --- a/adm/board_form_update.php +++ b/adm/board_form_update.php @@ -14,11 +14,11 @@ if (!$bo_table) { alert('게시판 TABLE명은 반드시 입력하세요.'); } if (!preg_match("/^([A-Za-z0-9_]{1,20})$/", $bo_table)) { alert('게시판 TABLE명은 공백없이 영문자, 숫자, _ 만 사용 가능합니다. (20자 이내)'); } if (!$_POST['bo_subject']) { alert('게시판 제목을 입력하세요.'); } -$_POST['bo_include_head'] = preg_replace("#[\\\]+$#", "", substr($_POST['bo_include_head'], 0, 255)); -$_POST['bo_include_tail'] = preg_replace("#[\\\]+$#", "", substr($_POST['bo_include_tail'], 0, 255)); +$bo_include_head = preg_replace(array("#[\\\]+$#", "#(<\?php|<\?)#i"), "", substr($bo_include_head, 0, 255)); +$bo_include_tail = preg_replace(array("#[\\\]+$#", "#(<\?php|<\?)#i"), "", substr($bo_include_tail, 0, 255)); // 관리자가 자동등록방지를 사용해야 할 경우 -if ($board && ($board['bo_include_head'] !== $_POST['bo_include_head'] || $board['bo_include_tail'] !== $_POST['bo_include_tail']) && function_exists('get_admin_captcha_by') && get_admin_captcha_by()){ +if ($board && ($board['bo_include_head'] !== $bo_include_head || $board['bo_include_tail'] !== $bo_include_tail) && function_exists('get_admin_captcha_by') && get_admin_captcha_by()){ include_once(G5_CAPTCHA_PATH.'/captcha.lib.php'); if (!chk_captcha()) { @@ -26,7 +26,7 @@ if ($board && ($board['bo_include_head'] !== $_POST['bo_include_head'] || $board } } -if ($file = $_POST['bo_include_head']) { +if ($file = $bo_include_head) { $file_ext = pathinfo($file, PATHINFO_EXTENSION); if( ! $file_ext || ! in_array($file_ext, array('php', 'htm', 'html')) || ! preg_match('/^.*\.(php|htm|html)$/i', $file) ) { @@ -35,7 +35,7 @@ if ($file = $_POST['bo_include_head']) { $_POST['bo_include_head'] = $file; } -if ($file = $_POST['bo_include_tail']) { +if ($file = $bo_include_tail) { $file_ext = pathinfo($file, PATHINFO_EXTENSION); if( ! $file_ext || ! in_array($file_ext, array('php', 'htm', 'html')) || ! preg_match('/^.*\.(php|htm|html)$/i', $file) ) { @@ -44,11 +44,11 @@ if ($file = $_POST['bo_include_tail']) { $_POST['bo_include_tail'] = $file; } -if(!is_include_path_check($_POST['bo_include_head'], 1)) { +if(!is_include_path_check($bo_include_head, 1)) { alert('상단 파일 경로에 포함시킬수 없는 문자열이 있습니다.'); } -if(!is_include_path_check($_POST['bo_include_tail'], 1)) { +if(!is_include_path_check($bo_include_tail, 1)) { alert('하단 파일 경로에 포함시킬수 없는 문자열이 있습니다.'); } @@ -125,8 +125,8 @@ $sql_common = " gr_id = '{$_POST['gr_id']}', // 최고 관리자인 경우에만 수정가능 if ($is_admin === 'super'){ -$sql_common .= " bo_include_head = '{$_POST['bo_include_head']}', - bo_include_tail = '{$_POST['bo_include_tail']}', +$sql_common .= " bo_include_head = '".$bo_include_head."', + bo_include_tail = '".$bo_include_tail."', bo_content_head = '{$_POST['bo_content_head']}', bo_content_tail = '{$_POST['bo_content_tail']}', bo_mobile_content_head = '{$_POST['bo_mobile_content_head']}', diff --git a/adm/contentformupdate.php b/adm/contentformupdate.php index 9904425b1..d344c4707 100644 --- a/adm/contentformupdate.php +++ b/adm/contentformupdate.php @@ -20,8 +20,11 @@ if ($w == "" || $w == "u") $co_row = sql_fetch($sql); } +$co_include_head = preg_replace(array("#[\\\]+$#", "#(<\?php|<\?)#i"), "", substr($co_include_head, 0, 255)); +$co_include_tail = preg_replace(array("#[\\\]+$#", "#(<\?php|<\?)#i"), "", substr($co_include_tail, 0, 255)); + // 관리자가 자동등록방지를 사용해야 할 경우 -if (($co_row['co_include_head'] !== $_POST['co_include_head'] || $co_row['co_include_tail'] !== $_POST['co_include_tail']) && function_exists('get_admin_captcha_by') && get_admin_captcha_by()){ +if (($co_row['co_include_head'] !== $co_include_head || $co_row['co_include_tail'] !== $co_include_tail) && function_exists('get_admin_captcha_by') && get_admin_captcha_by()){ include_once(G5_CAPTCHA_PATH.'/captcha.lib.php'); if (!chk_captcha()) { diff --git a/adm/qa_config_update.php b/adm/qa_config_update.php index df9153e9c..1072b765f 100644 --- a/adm/qa_config_update.php +++ b/adm/qa_config_update.php @@ -12,8 +12,11 @@ $error_msg = ''; $qaconfig = get_qa_config(); +$qa_include_head = preg_replace(array("#[\\\]+$#", "#(<\?php|<\?)#i"), "", substr($qa_include_head, 0, 255)); +$qa_include_tail = preg_replace(array("#[\\\]+$#", "#(<\?php|<\?)#i"), "", substr($qa_include_tail, 0, 255)); + // 관리자가 자동등록방지를 사용해야 할 경우 -if ($board && ($qaconfig['qa_include_head'] !== $_POST['qa_include_head'] || $qaconfig['qa_include_tail'] !== $_POST['qa_include_tail']) && function_exists('get_admin_captcha_by') && get_admin_captcha_by()){ +if ($board && ($qaconfig['qa_include_head'] !== $qa_include_head || $qaconfig['qa_include_tail'] !== $qa_include_tail) && function_exists('get_admin_captcha_by') && get_admin_captcha_by()){ include_once(G5_CAPTCHA_PATH.'/captcha.lib.php'); if (!chk_captcha()) { diff --git a/adm/sms_admin/num_book_write.php b/adm/sms_admin/num_book_write.php index 90f5b3bd7..2e05a4b67 100644 --- a/adm/sms_admin/num_book_write.php +++ b/adm/sms_admin/num_book_write.php @@ -43,12 +43,12 @@ include_once(G5_ADMIN_PATH."/admin.head.php"); ?>
- - - + + + - +
@@ -187,14 +187,12 @@ function book_submit(){ if($check_msg.size()> 0) $check_msg.remove(); -// $("#exist_msg").text(""); is_submit = true; } else { if($check_msg.size() < 1) $("input#bk_hp").after("

이 번호를 쓰는 회원 정보

    "); $("#hp_check_el").find("ul").html( list_text ); -// $("#exist_msg").html(""); if(confirm("회원 정보에 중복 휴대폰 번호가 있습니다.수정하실 경우 회원정보에 반영되지 않습니다.\n수정하시겠습니까?")) is_submit = true; diff --git a/bbs/formmail_send.php b/bbs/formmail_send.php index 090209479..b36feed06 100644 --- a/bbs/formmail_send.php +++ b/bbs/formmail_send.php @@ -12,14 +12,13 @@ if (!$is_member && $config['cf_formmail_is_member']) $email_enc = new str_encrypt(); $to = $email_enc->decrypt($to); -if (substr_count($to, "@") > 1) - alert_close('한번에 한사람에게만 메일을 발송할 수 있습니다.'); - - if (!chk_captcha()) { alert('자동등록방지 숫자가 틀렸습니다.'); } +if (!preg_match("/([0-9a-zA-Z_-]+)@([0-9a-zA-Z_-]+)\.([0-9a-zA-Z_-]+)/", $to)){ + alert_close('E-mail 주소가 형식에 맞지 않아서, 메일을 보낼수 없습니다.'); +} $file = array(); for ($i=1; $i<=$attach; $i++) { diff --git a/bbs/member_confirm.php b/bbs/member_confirm.php index 8dfa76b28..685dec86c 100644 --- a/bbs/member_confirm.php +++ b/bbs/member_confirm.php @@ -24,6 +24,10 @@ $url = clean_xss_tags($_GET['url']); // url 체크 check_url_host($url, '', G5_URL, true); +if( preg_match('#^/{3,}#', $url) ){ + $url = preg_replace('#^/{3,}#', '/', $url); +} + $url = get_text($url); include_once($member_skin_path.'/member_confirm.skin.php'); diff --git a/lib/common.lib.php b/lib/common.lib.php index 084ffb16e..2da6faa4b 100644 --- a/lib/common.lib.php +++ b/lib/common.lib.php @@ -3269,7 +3269,7 @@ class str_encrypt function __construct($salt='') { if(!$salt) - $this->salt = md5(preg_replace('/[^0-9A-Za-z]/', substr(G5_MYSQL_USER, -1), G5_MYSQL_PASSWORD)); + $this->salt = md5(preg_replace('/[^0-9A-Za-z]/', substr(G5_MYSQL_USER, -1), $_SERVER['SERVER_SOFTWARE'].$_SERVER['DOCUMENT_ROOT'])); else $this->salt = $salt; @@ -3438,7 +3438,7 @@ function is_include_path_check($path='', $is_input='') if( $path ){ if ($is_input){ - if( stripos($path, 'php://') !== false || stripos($path, 'zlib://') !== false || stripos($path, 'bzip2://') !== false || stripos($path, 'zip://') !== false || stripos($path, 'data:text/') !== false || stripos($path, 'data://') !== false ){ + if( stripos($path, 'php:') !== false || stripos($path, 'zlib:') !== false || stripos($path, 'bzip2:') !== false || stripos($path, 'zip:') !== false || stripos($path, 'data:') !== false || stripos($path, 'phar:') !== false ){ return false; } @@ -3478,7 +3478,7 @@ function is_include_path_check($path='', $is_input='') return false; } - if( preg_match('/\/data\/(file|editor|qa|cache|member|member_image|session|tmp)\/[A-Za-z0-9_]{1,20}\//i', $path) ){ + if( preg_match('/\/data\/(file|editor|qa|cache|member|member_image|session|tmp)\/[A-Za-z0-9_]{1,20}\//i', str_replace('\\', '/', $path)) ){ return false; } }