Merge branch 'g5'

2015-06-10 14:41:36 +09:00
parent dbfa48b691 1a2f4251ed
commit e6065e378c
9 changed files with 93 additions and 9 deletions
--- a/adm/sms_admin/form_write.php
+++ b/adm/sms_admin/form_write.php
@ -145,7 +145,7 @@ include_once(G5_ADMIN_PATH.'/admin.head.php');
    </div>
    <div class="btn_confirm01 btn_confirm">
        <input type="submit" value="확인" class="btn_submit" accesskey="s">
-        <a href="./form_list.php?<?php echo $_SERVER['QUERY_STRING']?>">목록</a>
+        <a href="./form_list.php?<?php echo clean_query_string($_SERVER['QUERY_STRING']); ?>">목록</a>
    </div>
 </form>

--- a/adm/sms_admin/num_book.php
+++ b/adm/sms_admin/num_book.php
@ -142,7 +142,7 @@ function no_hp_click(val)
 <input type="hidden" name="token" value="<?php echo $token; ?>">
 <input type="hidden" name="sw" value="">
 <input type="hidden" name="atype" value="del">
-<input type="hidden" name="str_query" value="<?php echo $_SERVER['QUERY_STRING']?>" >
+<input type="hidden" name="str_query" value="<?php echo clean_query_string($_SERVER['QUERY_STRING']); ?>" >

 <div class="tbl_head01 tbl_wrap">
    <table>
--- a/adm/sms_admin/num_book_write.php
+++ b/adm/sms_admin/num_book_write.php
@ -130,7 +130,7 @@ include_once(G5_ADMIN_PATH."/admin.head.php");

 <div class="btn_confirm01 btn_confirm">
    <input type="submit" value="확인" class="btn_submit" accesskey="s" onclick="return book_submit();">
-    <a href="./num_book.php?<?php echo $_SERVER['QUERY_STRING']?>">목록</a>
+    <a href="./num_book.php?<?php echo clean_query_string($_SERVER['QUERY_STRING']); ?>">목록</a>
 </div>

 </form>
--- a/bbs/download.php
+++ b/bbs/download.php
@ -25,8 +25,8 @@ if (!$file['bf_file'])
 // JavaScript 불가일 때
 if($js != 'on' && $board['bo_download_point'] < 0) {
    $msg = $file['bf_source'].' 파일을 다운로드 하시면 포인트가 차감('.number_format($board['bo_download_point']).'점)됩니다.\\n포인트는 게시물당 한번만 차감되며 다음에 다시 다운로드 하셔도 중복하여 차감하지 않습니다.\\n그래도 다운로드 하시겠습니까?';
-    $url1 = G5_BBS_URL.'/download.php?'.$_SERVER['QUERY_STRING'].'&amp;js=on';
-    $url2 = $_SERVER['HTTP_REFERER'];
+    $url1 = G5_BBS_URL.'/download.php?'.clean_query_string($_SERVER['QUERY_STRING']).'&amp;js=on';
+    $url2 = clean_xss_tags($_SERVER['HTTP_REFERER']);

    //$url1 = 확인link, $url2=취소link
    // 특정주소로 이동시키려면 $url3 이용
--- a/lib/common.lib.php
+++ b/lib/common.lib.php
@ -2884,4 +2884,88 @@ function check_url_host($url, $msg='', $return_url=G5_URL)
        }
    }
 }
+
+// QUERY STRING 에 포함된 XSS 태그 제거
+function clean_query_string($query, $amp=true)
+{
+    $qstr = trim($query);
+
+    parse_str($qstr, $out);
+
+    if(is_array($out)) {
+        $q = array();
+
+        foreach($out as $key=>$val) {
+            $key = trim($key);
+            $val = trim($val);
+
+            switch($key) {
+                case 'wr_id':
+                    $val = (int)preg_replace('/[^0-9]/', '', $val);
+                    $q[$key] = $val;
+                    break;
+                case 'sca':
+                    $val = clean_xss_tags($val);
+                    $q[$key] = $val;
+                    break;
+                case 'sfl':
+                    $val = preg_replace("/[\<\>\'\"\\\'\\\"\%\=\(\)\s]/", "", $val);
+                    $q[$key] = $val;
+                    break;
+                case 'stx':
+                    $val = get_search_string($val);
+                    $q[$key] = $val;
+                    break;
+                case 'sst':
+                    $val = preg_replace("/[\<\>\'\"\\\'\\\"\%\=\(\)\s]/", "", $val);
+                    $q[$key] = $val;
+                    break;
+                case 'sod':
+                    $val = preg_match("/^(asc|desc)$/i", $val) ? $val : '';
+                    $q[$key] = $val;
+                    break;
+                case 'sop':
+                    $val = preg_match("/^(or|and)$/i", $val) ? $val : '';
+                    $q[$key] = $val;
+                    break;
+                case 'spt':
+                    $val = (int)preg_replace('/[^0-9]/', '', $val);
+                    $q[$key] = $val;
+                    break;
+                case 'page':
+                    $val = (int)preg_replace('/[^0-9]/', '', $val);
+                    $q[$key] = $val;
+                    break;
+                case 'w':
+                    $val = substr($val, 0, 2);
+                    $q[$key] = $val;
+                    break;
+                case 'bo_table':
+                    $val = preg_replace('/[^a-z0-9_]/i', '', $val);
+                    $val = substr($val, 0, 20);
+                    $q[$key] = $val;
+                    break;
+                case 'gr_id':
+                    $val = preg_replace('/[^a-z0-9_]/i', '', $val);
+                    $q[$key] = $val;
+                    break;
+                default:
+                    $val = clean_xss_tags($val);
+                    $q[$key] = $val;
+                    break;
+            }
+        }
+
+        if($amp)
+            $sep = '&amp;';
+        else
+            $sep ='&';
+
+        $str = http_build_query($q, '', $sep);
+    } else {
+        $str = clean_xss_tags($qstr);
+    }
+
+    return $str;
+}
 ?>
--- a/mobile/skin/board/basic/view_comment.skin.php
+++ b/mobile/skin/board/basic/view_comment.skin.php
@ -50,7 +50,7 @@ var char_max = parseInt(<?php echo $comment_max ?>); // 최대
        <textarea id="save_comment_<?php echo $comment_id ?>" style="display:none"><?php echo get_text($list[$i]['content1'], 0) ?></textarea>

        <?php if($list[$i]['is_reply'] || $list[$i]['is_edit'] || $list[$i]['is_del']) {
-            $query_string = str_replace("&", "&amp;", $_SERVER['QUERY_STRING']);
+            $query_string = clean_query_string($_SERVER['QUERY_STRING']);

            if($w == 'cu') {
                $sql = " select wr_id, wr_content from $write_table where wr_id = '$c_id' and wr_is_comment = '1' ";
--- a/mobile/skin/board/gallery/view_comment.skin.php
+++ b/mobile/skin/board/gallery/view_comment.skin.php
@ -50,7 +50,7 @@ var char_max = parseInt(<?php echo $comment_max ?>); // 최대
        <textarea id="save_comment_<?php echo $comment_id ?>" style="display:none"><?php echo get_text($list[$i]['content1'], 0) ?></textarea>

        <?php if($list[$i]['is_reply'] || $list[$i]['is_edit'] || $list[$i]['is_del']) {
-            $query_string = str_replace("&", "&amp;", $_SERVER['QUERY_STRING']);
+            $query_string = clean_query_string($_SERVER['QUERY_STRING']);

            if($w == 'cu') {
                $sql = " select wr_id, wr_content from $write_table where wr_id = '$c_id' and wr_is_comment = '1' ";
--- a/skin/board/basic/view_comment.skin.php
+++ b/skin/board/basic/view_comment.skin.php
@ -56,7 +56,7 @@ var char_max = parseInt(<?php echo $comment_max ?>); // 최대
        <textarea id="save_comment_<?php echo $comment_id ?>" style="display:none"><?php echo get_text($list[$i]['content1'], 0) ?></textarea>

        <?php if($list[$i]['is_reply'] || $list[$i]['is_edit'] || $list[$i]['is_del']) {
-            $query_string = str_replace("&", "&amp;", $_SERVER['QUERY_STRING']);
+            $query_string = clean_query_string($_SERVER['QUERY_STRING']);

            if($w == 'cu') {
                $sql = " select wr_id, wr_content from $write_table where wr_id = '$c_id' and wr_is_comment = '1' ";
--- a/skin/board/gallery/view_comment.skin.php
+++ b/skin/board/gallery/view_comment.skin.php
@ -56,7 +56,7 @@ var char_max = parseInt(<?php echo $comment_max ?>); // 최대
        <textarea id="save_comment_<?php echo $comment_id ?>" style="display:none"><?php echo get_text($list[$i]['content1'], 0) ?></textarea>

        <?php if($list[$i]['is_reply'] || $list[$i]['is_edit'] || $list[$i]['is_del']) {
-            $query_string = str_replace("&", "&amp;", $_SERVER['QUERY_STRING']);
+            $query_string = clean_query_string($_SERVER['QUERY_STRING']);

            if($w == 'cu') {
                $sql = " select wr_id, wr_content from $write_table where wr_id = '$c_id' and wr_is_comment = '1' ";