댓글 수정 CSRF 취약점 수정

bbs/ajax.comment_token.php

@@ -0,0 +1,14 @@
+<?php
+include_once('./_common.php');
+include_once(G5_LIB_PATH.'/json.lib.php');
+
+$ss_name = 'ss_comment_token';
+
+set_session($ss_name, '');
+
+$token = _token();
+
+set_session($ss_name, $token);
+
+die(json_encode(array('token'=>$token)));
+?>

bbs/write_comment_update.php

@@ -3,6 +3,11 @@ define('G5_CAPTCHA', true);
 include_once('./_common.php');
 include_once(G5_CAPTCHA_PATH.'/captcha.lib.php');
 
+// 토큰체크
+$comment_token = trim(get_session('ss_comment_token'));
+if(!trim($_POST['token']) || !$comment_token || $comment_token != $_POST['token'])
+    alert('올바른 방법으로 이용해 주십시오.');
+
 // 090710
 if (substr_count($wr_content, "&#") > 50) {
     alert('내용에 올바르지 않은 코드가 다수 포함되어 있습니다.');

js/common.js

@@ -546,6 +546,26 @@ function font_resize(id, rmv_class, add_class)
     set_cookie("ck_font_resize_add_class", add_class, 1, g5_cookie_domain);
 }
 
+/**
+ * 댓글 수정 토큰
+**/
+function set_comment_token(f)
+{
+    if(typeof f.token === "undefined")
+        $(f).prepend('<input type="hidden" name="token" value="">');
+
+    $.ajax({
+        url: g5_bbs_url+"/ajax.comment_token.php",
+        type: "GET",
+        dataType: "json",
+        async: false,
+        cache: false,
+        success: function(data, textStatus) {
+            f.token.value = data.token;
+        }
+    });
+}
+
 $(function(){
     $(".win_point").click(function() {
         win_point(this.href);

mobile/skin/board/basic/view_comment.skin.php

@@ -250,6 +250,8 @@ var char_max = parseInt(<?php echo $comment_max ?>); // 최대
 
         <?php if($is_guest) echo chk_captcha_js(); ?>
 
+        set_comment_token(f);
+
         document.getElementById("btn_submit").disabled = "disabled";
 
         return true;

mobile/skin/board/gallery/view_comment.skin.php

@@ -250,6 +250,8 @@ var char_max = parseInt(<?php echo $comment_max ?>); // 최대
 
         <?php if($is_guest) echo chk_captcha_js(); ?>
 
+        set_comment_token(f);
+
         document.getElementById("btn_submit").disabled = "disabled";
 
         return true;

skin/board/basic/view_comment.skin.php

@@ -258,6 +258,8 @@ function fviewcomment_submit(f)
 
     <?php if($is_guest) echo chk_captcha_js();  ?>
 
+    set_comment_token(f);
+
     document.getElementById("btn_submit").disabled = "disabled";
 
     return true;

skin/board/gallery/view_comment.skin.php

@@ -258,6 +258,8 @@ function fviewcomment_submit(f)
 
     <?php if($is_guest) echo chk_captcha_js();  ?>
 
+    set_comment_token(f);
+
     document.getElementById("btn_submit").disabled = "disabled";
 
     return true;

theme/basic/mobile/skin/board/basic/view_comment.skin.php

@@ -250,6 +250,8 @@ var char_max = parseInt(<?php echo $comment_max ?>); // 최대
 
         <?php if($is_guest) echo chk_captcha_js(); ?>
 
+        set_comment_token(f);
+
         document.getElementById("btn_submit").disabled = "disabled";
 
         return true;

theme/basic/mobile/skin/board/gallery/view_comment.skin.php

@@ -250,6 +250,8 @@ var char_max = parseInt(<?php echo $comment_max ?>); // 최대
 
         <?php if($is_guest) echo chk_captcha_js(); ?>
 
+        set_comment_token(f);
+
         document.getElementById("btn_submit").disabled = "disabled";
 
         return true;

theme/basic/skin/board/basic/view_comment.skin.php

@@ -258,6 +258,8 @@ function fviewcomment_submit(f)
 
     <?php if($is_guest) echo chk_captcha_js();  ?>
 
+    set_comment_token(f);
+
     document.getElementById("btn_submit").disabled = "disabled";
 
     return true;

theme/basic/skin/board/gallery/view_comment.skin.php

@@ -258,6 +258,8 @@ function fviewcomment_submit(f)
 
     <?php if($is_guest) echo chk_captcha_js();  ?>
 
+    set_comment_token(f);
+
     document.getElementById("btn_submit").disabled = "disabled";
 
     return true;