From c8d41381c9c2df7ef15b00d2ea40fba11b7f9a6f Mon Sep 17 00:00:00 2001
From: thisgun <thisgun@naver.com>
Date: Wed, 17 Oct 2018 19:39:00 +0900
Subject: [PATCH] =?UTF-8?q?=EC=9D=B4=EB=AF=B8=EC=A7=80=20=EC=83=81?=
 =?UTF-8?q?=EC=84=B8=20=EB=B3=B4=EA=B8=B0=20=ED=8E=98=EC=9D=B4=EC=A7=80=20?=
 =?UTF-8?q?=ED=99=95=EC=9E=A5=EC=9E=90=20=EC=B2=B4=ED=81=AC=20=EC=B6=94?=
 =?UTF-8?q?=EA=B0=80?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 bbs/view_image.php | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/bbs/view_image.php b/bbs/view_image.php
index 6bcd005e2..bc7f8e63e 100644
--- a/bbs/view_image.php
+++ b/bbs/view_image.php
@@ -4,7 +4,13 @@ include_once('./_common.php');
 $g5['title'] = '이미지 크게보기';
 include_once(G5_PATH.'/head.sub.php');
 
-$filename = preg_replace('/[^A-Za-z0-9 _ .-]/', '', $_GET['fn']);
+$filename = preg_replace('/[^A-Za-z0-9 _ .-\/]/', '', $_GET['fn']);
+
+$extension = pathinfo($filename, PATHINFO_EXTENSION);
+
+if ( ! preg_match('/(jpg|jpeg|png|gif|bmp)$/i', $extension) ){
+    alert_close('확장자가 이미지인것만 요청할수 있습니다.');
+}
 
 if(strpos($filename, 'data/editor')) {
     $editor_file = strstr($filename, 'editor');