From c6425adffc85436f1d26d0ba9da59c7dee85436b Mon Sep 17 00:00:00 2001
From: thisgun <thisgun@naver.com>
Date: Tue, 14 Mar 2017 12:30:58 +0900
Subject: [PATCH] =?UTF-8?q?=EC=9B=90=EA=B2=A9=EC=BD=94=EB=93=9C=20?=
 =?UTF-8?q?=EC=8B=A4=ED=96=89=20=EC=B7=A8=EC=95=BD=EC=A0=90(17-00160)=20?=
 =?UTF-8?q?=EC=88=98=EC=A0=95?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 adm/board_form_update.php          | 8 ++++++++
 adm/sms_admin/_common.php          | 2 ++
 bbs/board_head.php                 | 6 +++++-
 bbs/board_tail.php                 | 6 +++++-
 plugin/htmlpurifier/safeiframe.txt | 6 ++++++
 5 files changed, 26 insertions(+), 2 deletions(-)

diff --git a/adm/board_form_update.php b/adm/board_form_update.php
index 78e7d8773..70c679b16 100644
--- a/adm/board_form_update.php
+++ b/adm/board_form_update.php
@@ -35,6 +35,14 @@ if ($file = $_POST['bo_include_tail']) {
     $_POST['bo_include_tail'] = $file;
 }
 
+if(!is_include_path_check($_POST['bo_include_head'])) {
+    alert('/data/file/ 또는 /data/editor/ 포함된 문자를 상단 파일 경로에 포함시킬수 없습니다.');
+}
+
+if(!is_include_path_check($_POST['bo_include_tail'])) {
+    alert('/data/file/ 또는 /data/editor/ 포함된 문자를 하단 파일 경로에 포함시킬수 없습니다.');
+}
+
 $board_path = G5_DATA_PATH.'/file/'.$bo_table;
 
 // 게시판 디렉토리 생성
diff --git a/adm/sms_admin/_common.php b/adm/sms_admin/_common.php
index 50def26fd..7cf17b2b7 100644
--- a/adm/sms_admin/_common.php
+++ b/adm/sms_admin/_common.php
@@ -12,5 +12,7 @@ if (!strstr($_SERVER['SCRIPT_NAME'], 'install.php')) {
     //$sms5 = sql_fetch("select * from ".$g5['sms5_config_table'] );
 }
 
+$sv = isset($_REQUEST['sv']) ? get_search_string($_REQUEST['sv']) : '';
+
 add_stylesheet('<link rel="stylesheet" href="'.G5_SMS5_ADMIN_URL.'/css/sms5.css">', 0);
 ?>
\ No newline at end of file
diff --git a/bbs/board_head.php b/bbs/board_head.php
index d62bf8f35..04b60450f 100644
--- a/bbs/board_head.php
+++ b/bbs/board_head.php
@@ -7,7 +7,11 @@ if (G5_IS_MOBILE) {
     include_once(G5_BBS_PATH.'/_head.php');
     echo stripslashes($board['bo_mobile_content_head']);
 } else {
-    @include ($board['bo_include_head']);
+    if(is_include_path_check($board['bo_include_head'])) {  //파일경로 체크
+        @include ($board['bo_include_head']);
+    } else {    //파일경로가 올바르지 않으면 기본파일을 가져옴
+        include_once(G5_BBS_PATH.'/_head.php');
+    }
     echo stripslashes($board['bo_content_head']);
 }
 ?>
\ No newline at end of file
diff --git a/bbs/board_tail.php b/bbs/board_tail.php
index c97af5d88..57b81b46e 100644
--- a/bbs/board_tail.php
+++ b/bbs/board_tail.php
@@ -8,6 +8,10 @@ if (G5_IS_MOBILE) {
     include_once(G5_BBS_PATH.'/_tail.php');
 } else {
     echo stripslashes($board['bo_content_tail']);
-    @include ($board['bo_include_tail']);
+    if(is_include_path_check($board['bo_include_tail'])) {  //파일경로 체크
+        @include ($board['bo_include_tail']);
+    } else {    //파일경로가 올바르지 않으면 기본파일을 가져옴
+        include_once(G5_BBS_PATH.'/_tail.php');
+    }
 }
 ?>
\ No newline at end of file
diff --git a/plugin/htmlpurifier/safeiframe.txt b/plugin/htmlpurifier/safeiframe.txt
index 6484f4ccf..b87696a76 100644
--- a/plugin/htmlpurifier/safeiframe.txt
+++ b/plugin/htmlpurifier/safeiframe.txt
@@ -4,3 +4,9 @@ www.youtube(?:-nocookie)?.com/
 serviceapi.rmcnmv.naver.com/
 videofarm.daum.net/
 player.vimeo.com/
+maps.google.com/
+play.afreeca.com/
+v.nate.com/
+www.microsoft.com/showcase/video.aspx/
+w.soundcloud.com/
+www.facebook.com/
\ No newline at end of file