firstgarden/firstgarden-web-gnu
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Activity

LFI to RCE 취약점 수정

Browse Source
This commit is contained in:
thisgun
2017-02-06 20:00:18 +09:00
parent ce03af265e
commit ed957cf6b3
7 changed files with 51 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
adm/contentformupdate.php
View File

@ -18,6 +18,18 @@ check_admin_token();
if ($co_himg_del) @unlink(G5_DATA_PATH."/content/{$co_id}_h"); if ($co_himg_del) @unlink(G5_DATA_PATH."/content/{$co_id}_h");
if ($co_timg_del) @unlink(G5_DATA_PATH."/content/{$co_id}_t"); if ($co_timg_del) @unlink(G5_DATA_PATH."/content/{$co_id}_t");
$error_msg = '';
if( $co_include_head && ! is_include_path_check($co_include_head) ){
$co_include_head = '';
$error_msg = '/data/file/ 또는 /data/editor/ 포함된 문자를 상단 파일 경로에 포함시킬수 없습니다.';
}
if( $co_include_tail && ! is_include_path_check($co_include_tail) ){
$co_include_tail = '';
$error_msg = '/data/file/ 또는 /data/editor/ 포함된 문자를 하단 파일 경로에 포함시킬수 없습니다.';
}
$sql_common = " co_include_head = '$co_include_head', $sql_common = " co_include_head = '$co_include_head',
co_include_tail = '$co_include_tail', co_include_tail = '$co_include_tail',
co_html = '$co_html', co_html = '$co_html',
@ -74,7 +86,11 @@ if ($w == "" || $w == "u")
@chmod($dest_path, G5_FILE_PERMISSION); @chmod($dest_path, G5_FILE_PERMISSION);
} }
goto_url("./contentform.php?w=u&co_id=$co_id"); if( $error_msg ){
alert($error_msg, "./contentform.php?w=u&co_id=$co_id");
} else {
goto_url("./contentform.php?w=u&co_id=$co_id");
}
} }
else else
{ {

22
adm/qa_config_update.php
View File

@ -8,6 +8,18 @@ auth_check($auth[$sub_menu], 'w');
check_admin_token(); check_admin_token();
$error_msg = '';
if( $qa_include_head && ! is_include_path_check($qa_include_head) ){
$qa_include_head = '';
$error_msg = '/data/file/ 또는 /data/editor/ 포함된 문자를 상단 파일 경로에 포함시킬수 없습니다.';
}
if( $qa_include_tail && ! is_include_path_check($qa_include_tail) ){
$qa_include_tail = '';
$error_msg = '/data/file/ 또는 /data/editor/ 포함된 문자를 하단 파일 경로에 포함시킬수 없습니다.';
}
$sql = " update {$g5['qa_config_table']} $sql = " update {$g5['qa_config_table']}
set qa_title = '{$_POST['qa_title']}', set qa_title = '{$_POST['qa_title']}',
qa_category = '{$_POST['qa_category']}', qa_category = '{$_POST['qa_category']}',
@ -29,8 +41,8 @@ $sql = " update {$g5['qa_config_table']}
qa_image_width = '{$_POST['qa_image_width']}', qa_image_width = '{$_POST['qa_image_width']}',
qa_upload_size = '{$_POST['qa_upload_size']}', qa_upload_size = '{$_POST['qa_upload_size']}',
qa_insert_content = '{$_POST['qa_insert_content']}', qa_insert_content = '{$_POST['qa_insert_content']}',
qa_include_head = '{$_POST['qa_include_head']}', qa_include_head = '{$qa_include_head}',
qa_include_tail = '{$_POST['qa_include_tail']}', qa_include_tail = '{$qa_include_tail}',
qa_content_head = '{$_POST['qa_content_head']}', qa_content_head = '{$_POST['qa_content_head']}',
qa_content_tail = '{$_POST['qa_content_tail']}', qa_content_tail = '{$_POST['qa_content_tail']}',
qa_mobile_content_head = '{$_POST['qa_mobile_content_head']}', qa_mobile_content_head = '{$_POST['qa_mobile_content_head']}',
@ -47,5 +59,9 @@ $sql = " update {$g5['qa_config_table']}
qa_5 = '{$_POST['qa_5']}' "; qa_5 = '{$_POST['qa_5']}' ";
sql_query($sql); sql_query($sql);
goto_url('./qa_config.php'); if($error_msg){
alert($error_msg, './qa_config.php');
} else {
goto_url('./qa_config.php');
}
?> ?>

4
bbs/content.php
View File

@ -19,7 +19,7 @@ if (!$co['co_id'])
$g5['title'] = $co['co_subject']; $g5['title'] = $co['co_subject'];
if ($co['co_include_head']) if (is_include_path_check($co['co_include_head']))
@include_once($co['co_include_head']); @include_once($co['co_include_head']);
else else
include_once('./_head.php'); include_once('./_head.php');
@ -85,7 +85,7 @@ if(is_file($skin_file)) {
echo '<p>'.str_replace(G5_PATH.'/', '', $skin_file).'이 존재하지 않습니다.</p>'; echo '<p>'.str_replace(G5_PATH.'/', '', $skin_file).'이 존재하지 않습니다.</p>';
} }
if ($co['co_include_tail']) if (is_include_path_check($co['co_include_tail']))
@include_once($co['co_include_tail']); @include_once($co['co_include_tail']);
else else
include_once('./_tail.php'); include_once('./_tail.php');

2
bbs/qahead.php
View File

@ -9,7 +9,7 @@ if (G5_IS_MOBILE) {
include_once('./_head.php'); include_once('./_head.php');
echo conv_content($qaconfig['qa_mobile_content_head'], 1); echo conv_content($qaconfig['qa_mobile_content_head'], 1);
} else { } else {
if($qaconfig['qa_include_head']) if(is_include_path_check($qaconfig['qa_include_head']))
@include ($qaconfig['qa_include_head']); @include ($qaconfig['qa_include_head']);
else else
include ('./_head.php'); include ('./_head.php');

2
bbs/qatail.php
View File

@ -7,7 +7,7 @@ if (G5_IS_MOBILE) {
include_once('./_tail.php'); include_once('./_tail.php');
} else { } else {
echo conv_content($qaconfig['qa_content_tail'], 1); echo conv_content($qaconfig['qa_content_tail'], 1);
if($qaconfig['qa_include_tail']) if(is_include_path_check($qaconfig['qa_include_tail']))
@include ($qaconfig['qa_include_tail']); @include ($qaconfig['qa_include_tail']);
else else
include ('./_tail.php'); include ('./_tail.php');

9
lib/common.lib.php
View File

@ -3259,4 +3259,13 @@ function check_write_token($bo_table)
return true; return true;
} }
// include 하는 경로에 data file 경로가 포함되어 있는지 체크합니다.
function is_include_path_check($path='')
{
if( !$path || preg_match('/\/data\/(file|editor)\/[A-Za-z0-9_]{1,20}\//', $path) ){
return false;
}
return true;
}
?> ?>

4
lib/thumbnail.lib.php
View File

@ -273,8 +273,8 @@ function thumbnail($filename, $source_path, $target_path, $thumb_width, $thumb_h
} }
} }
} else if ($size[2] == 3) { } else if ($size[2] == 3) {
$src = imagecreatefrompng($source_file); $src = @imagecreatefrompng($source_file);
imagealphablending($src, true); @imagealphablending($src, true);
} else { } else {
return; return;
} }