From e724ef72915f819efcfcce13c4b4b135b928fef6 Mon Sep 17 00:00:00 2001
From: chicpro <chicpro@sir.co.kr>
Date: Mon, 13 Jun 2016 17:47:41 +0900
Subject: [PATCH 1/2] =?UTF-8?q?=EC=BB=A4=EB=A7=A8=EB=93=9C=20=EC=9D=B8?=
 =?UTF-8?q?=EC=A0=9D=EC=85=98=20=EC=B7=A8=EC=95=BD=EC=A0=90(16-418=20419)?=
 =?UTF-8?q?=20=EC=88=98=EC=A0=95?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 plugin/okname/hpcert.config.php | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/plugin/okname/hpcert.config.php b/plugin/okname/hpcert.config.php
index af36c47e8..06b54b4c7 100644
--- a/plugin/okname/hpcert.config.php
+++ b/plugin/okname/hpcert.config.php
@@ -33,6 +33,8 @@ else
     $clientDomain = $_SERVER['SERVER_NAME'];
 unset($p);
 
+$clientDomain = escapeshellarg($clientDomain);
+
 
 $rsv1 = '0';                                        // 예약 항목
 $rsv2 = '0';                                        // 예약 항목
@@ -78,5 +80,5 @@ if($config['cf_cert_use'] == 2) {
 // ########################################################################
 // # 리턴 URL 설정
 // ########################################################################
-$returnUrl = G5_OKNAME_URL.'/hpcert2.php';          // 본인인증 완료후 리턴될 URL (도메인 포함 full path)
+$returnUrl = escapeshellarg(G5_OKNAME_URL.'/hpcert2.php');          // 본인인증 완료후 리턴될 URL (도메인 포함 full path)
 ?>
\ No newline at end of file

From 2a9e72da41b865d082cfaf39eb2d5b5bf0719f3f Mon Sep 17 00:00:00 2001
From: chicpro <chicpro@sir.co.kr>
Date: Fri, 24 Jun 2016 17:17:02 +0900
Subject: [PATCH 2/2] =?UTF-8?q?=EA=B2=8C=EC=8B=9C=EA=B8=80=20=EB=8C=93?=
 =?UTF-8?q?=EA=B8=80=20=EC=82=AD=EC=A0=9C=20=EB=95=8C=20=ED=86=A0=ED=81=B0?=
 =?UTF-8?q?=20=EC=B2=B4=ED=81=AC=20=EC=B6=94=EA=B0=80?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 bbs/delete.php         | 10 +++++-----
 bbs/delete_comment.php | 10 +++++-----
 bbs/password.php       |  6 ++++--
 bbs/view.php           |  8 ++------
 bbs/view_comment.php   | 10 ++++------
 5 files changed, 20 insertions(+), 24 deletions(-)

diff --git a/bbs/delete.php b/bbs/delete.php
index 3e75649cb..fe9f369be 100644
--- a/bbs/delete.php
+++ b/bbs/delete.php
@@ -1,11 +1,11 @@
 <?php
 include_once('./_common.php');
 
-if ($is_admin)
-{
-    if (!($token && get_session('ss_delete_token') == $token))
-        alert('토큰 에러로 삭제 불가합니다.');
-}
+$delete_token = get_session('ss_delete_token');
+set_session('ss_delete_token', '');
+
+if (!($token && $delete_token == $token))
+    alert('토큰 에러로 삭제 불가합니다.');
 
 //$wr = sql_fetch(" select * from $write_table where wr_id = '$wr_id' ");
 
diff --git a/bbs/delete_comment.php b/bbs/delete_comment.php
index 812c6f516..cd75e575c 100644
--- a/bbs/delete_comment.php
+++ b/bbs/delete_comment.php
@@ -2,11 +2,11 @@
 // 코멘트 삭제
 include_once('./_common.php');
 
-if ($is_admin)
-{
-    if (!($token && get_session("ss_delete_token") == $token))
-        alert('토큰 에러로 삭제 불가합니다.');
-}
+$delete_comment_token = get_session('ss_delete_comment_token');
+set_session('ss_delete_comment_token', '');
+
+if (!($token && $delete_comment_token == $token))
+    alert('토큰 에러로 삭제 불가합니다.');
 
 // 4.1
 @include_once($board_skin_path.'/delete_comment.head.skin.php');
diff --git a/bbs/password.php b/bbs/password.php
index ffd2a55b4..32d31259a 100644
--- a/bbs/password.php
+++ b/bbs/password.php
@@ -9,11 +9,13 @@ switch ($w) {
         $return_url = './board.php?bo_table='.$bo_table.'&amp;wr_id='.$wr_id;
         break;
     case 'd' :
-        $action = './delete.php';
+        set_session('ss_delete_token', $token = uniqid(time()));
+        $action = './delete.php?token='.$token;
         $return_url = './board.php?bo_table='.$bo_table.'&amp;wr_id='.$wr_id;
         break;
     case 'x' :
-        $action = './delete_comment.php';
+        set_session('ss_delete_comment_token', $token = uniqid(time()));
+        $action = './delete_comment.php?token='.$token;
         $row = sql_fetch(" select wr_parent from $write_table where wr_id = '$comment_id' ");
         $return_url = './board.php?bo_table='.$bo_table.'&amp;wr_id='.$row['wr_parent'];
         break;
diff --git a/bbs/view.php b/bbs/view.php
index e570a7763..1031da62c 100644
--- a/bbs/view.php
+++ b/bbs/view.php
@@ -72,12 +72,8 @@ $update_href = $delete_href = '';
 // 로그인중이고 자신의 글이라면 또는 관리자라면 비밀번호를 묻지 않고 바로 수정, 삭제 가능
 if (($member['mb_id'] && ($member['mb_id'] == $write['mb_id'])) || $is_admin) {
     $update_href = './write.php?w=u&amp;bo_table='.$bo_table.'&amp;wr_id='.$wr_id.'&amp;page='.$page.$qstr;
-    $delete_href = './delete.php?bo_table='.$bo_table.'&amp;wr_id='.$wr_id.'&amp;page='.$page.urldecode($qstr);
-    if ($is_admin)
-    {
-        set_session("ss_delete_token", $token = uniqid(time()));
-        $delete_href ='./delete.php?bo_table='.$bo_table.'&amp;wr_id='.$wr_id.'&amp;token='.$token.'&amp;page='.$page.urldecode($qstr);
-    }
+    set_session('ss_delete_token', $token = uniqid(time()));
+    $delete_href ='./delete.php?bo_table='.$bo_table.'&amp;wr_id='.$wr_id.'&amp;token='.$token.'&amp;page='.$page.urldecode($qstr);
 }
 else if (!$write['mb_id']) { // 회원이 쓴 글이 아니라면
     $update_href = './password.php?w=u&amp;bo_table='.$bo_table.'&amp;wr_id='.$wr_id.'&amp;page='.$page.$qstr;
diff --git a/bbs/view_comment.php b/bbs/view_comment.php
index 6eb1c8cd4..c6e6614cc 100644
--- a/bbs/view_comment.php
+++ b/bbs/view_comment.php
@@ -9,11 +9,6 @@ if ($is_guest && $board['bo_comment_level'] < 2) {
 
 @include_once($board_skin_path.'/view_comment.head.skin.php');
 
-// 코멘트를 새창으로 여는 경우 세션값이 없으므로 생성한다.
-if ($is_admin && !$token) {
-    set_session("ss_delete_token", $token = uniqid(time()));
-}
-
 $list = array();
 
 $is_comment_write = false;
@@ -72,10 +67,13 @@ for ($i=0; $row=sql_fetch_array($result); $i++)
     $list[$i]['is_del']  = false;
     if ($is_comment_write || $is_admin)
     {
+        $token = '';
+
         if ($member['mb_id'])
         {
             if ($row['mb_id'] == $member['mb_id'] || $is_admin)
             {
+                set_session('ss_delete_comment_token', $token = uniqid(time()));
                 $list[$i]['del_link']  = './delete_comment.php?bo_table='.$bo_table.'&amp;comment_id='.$row['wr_id'].'&amp;token='.$token.'&amp;page='.$page.$qstr;
                 $list[$i]['is_edit']   = true;
                 $list[$i]['is_del']    = true;
@@ -84,7 +82,7 @@ for ($i=0; $row=sql_fetch_array($result); $i++)
         else
         {
             if (!$row['mb_id']) {
-                $list[$i]['del_link'] = './password.php?w=x&amp;bo_table='.$bo_table.'&amp;comment_id='.$row['wr_id'].'&amp;page='.$page.$qstr;
+                $list[$i]['del_link'] = './password.php?w=x&amp;bo_table='.$bo_table.'&amp;comment_id='.$row['wr_id'].'&amp;token='.$token.'&amp;page='.$page.$qstr;
                 $list[$i]['is_del']   = true;
             }
         }