diff --git a/adm/_common.php b/adm/_common.php index a61a0623a..aad9d14a9 100644 --- a/adm/_common.php +++ b/adm/_common.php @@ -7,4 +7,26 @@ if( isset($token) ){ $token = @htmlspecialchars(strip_tags($token), ENT_QUOTES); } +if( ! function_exists('check_data_htaccess_file') ) { + function check_data_htaccess_file() { + $save_path = G5_DATA_PATH.'/.htaccess'; + if( file_exists($save_path) && is_writable($save_path) ) { + $code = file_get_contents($save_path); + $add_code = 'RedirectMatch 403 /session/.*'; + if( strpos($code, $add_code) === false ){ + $fp = fopen($save_path, "ab"); + flock( $fp, LOCK_EX ); + + fwrite( $fp, "\n\n" ); + fwrite( $fp, $add_code ); + fwrite( $fp, "\n\n" ); + + flock( $fp, LOCK_UN ); + fclose($fp); + } + } + } + check_data_htaccess_file(); +} + run_event('admin_common'); \ No newline at end of file diff --git a/common.php b/common.php index dd4c2e1af..4d167beb8 100644 --- a/common.php +++ b/common.php @@ -208,7 +208,8 @@ if (file_exists($dbconfig_file)) { @ini_set("session.use_trans_sid", 0); // PHPSESSID를 자동으로 넘기지 않음 @ini_set("url_rewriter.tags",""); // 링크에 PHPSESSID가 따라다니는것을 무력화함 (해뜰녘님께서 알려주셨습니다.) -session_save_path(G5_SESSION_PATH); +// 세션파일 저장 디렉토리를 지정할 경우 +// session_save_path(G5_SESSION_PATH); if (isset($SESSION_CACHE_LIMITER)) @session_cache_limiter($SESSION_CACHE_LIMITER); @@ -232,8 +233,15 @@ function chrome_domain_session_name(){ '.maru.net', // 마루호스팅 ); - if(isset($_SERVER['HTTP_HOST']) && preg_match('/('.implode('|', $domain_array).')/i', $_SERVER['HTTP_HOST'])){ // 위의 도메인주소를 포함한 url접속시 기본세션이름을 변경한다. - if(! defined('G5_SESSION_NAME')) define('G5_SESSION_NAME', 'G5PHPSESSID'); + $add_str = ''; + $document_root_path = str_replace('\\', '/', realpath($_SERVER['DOCUMENT_ROOT'])); + + if( G5_PATH !== $document_root_path ){ + $add_str = substr_count(G5_PATH, '/').basename(dirname(__FILE__)); + } + + if($add_str || (isset($_SERVER['HTTP_HOST']) && preg_match('/('.implode('|', $domain_array).')/i', $_SERVER['HTTP_HOST'])) ){ // 위의 도메인주소를 포함한 url접속시 기본세션이름을 변경한다. + if(! defined('G5_SESSION_NAME')) define('G5_SESSION_NAME', 'G5'.$add_str.'PHPSESSID'); @session_name(G5_SESSION_NAME); } } diff --git a/install/install_db.php b/install/install_db.php index 33fd0a31c..397c0cea9 100644 --- a/install/install_db.php +++ b/install/install_db.php @@ -648,6 +648,7 @@ $str = << +RedirectMatch 403 /session/.* EOD; fwrite($f, $str); fclose($f); diff --git a/plugin/kcaptcha/kcaptcha.lib.php b/plugin/kcaptcha/kcaptcha.lib.php index 6354399b9..5c89dc783 100644 --- a/plugin/kcaptcha/kcaptcha.lib.php +++ b/plugin/kcaptcha/kcaptcha.lib.php @@ -274,9 +274,15 @@ function chk_captcha() return false; } - if (!isset($_POST['captcha_key'])) return false; - if (!trim($_POST['captcha_key'])) return false; - if ($_POST['captcha_key'] != get_session('ss_captcha_key')) { + $post_captcha_key = (isset($_POST['captcha_key']) && $_POST['captcha_key']) ? trim($_POST['captcha_key']) : ''; + if (!trim($post_captcha_key)) return false; + + if( $post_captcha_key && function_exists('get_string_encrypt') ){ + $ip = md5(sha1($_SERVER['REMOTE_ADDR'])); + $post_captcha_key = get_string_encrypt($ip.$post_captcha_key); + } + + if ($post_captcha_key != get_session('ss_captcha_key')) { $_SESSION['ss_captcha_count'] = $captcha_count + 1; return false; } diff --git a/plugin/kcaptcha/kcaptcha_image.php b/plugin/kcaptcha/kcaptcha_image.php index 37bd3c205..fc74c95a4 100644 --- a/plugin/kcaptcha/kcaptcha_image.php +++ b/plugin/kcaptcha/kcaptcha_image.php @@ -3,6 +3,11 @@ include_once("_common.php"); include_once('captcha.lib.php'); $captcha = new KCAPTCHA(); -$captcha->setKeyString(get_session("ss_captcha_key")); +$ss_captcha_key = get_session("ss_captcha_key"); +if( $ss_captcha_key && !preg_match('/^[0-9]/', $ss_captcha_key) && function_exists('get_string_decrypt') ){ + $ip = md5(sha1($_SERVER['REMOTE_ADDR'])); + $ss_captcha_key = str_replace($ip, '', get_string_decrypt($ss_captcha_key)); +} +$captcha->setKeyString($ss_captcha_key); $captcha->getKeyString(); $captcha->image(); \ No newline at end of file diff --git a/plugin/kcaptcha/kcaptcha_mp3.php b/plugin/kcaptcha/kcaptcha_mp3.php index 5672320a3..30961de77 100644 --- a/plugin/kcaptcha/kcaptcha_mp3.php +++ b/plugin/kcaptcha/kcaptcha_mp3.php @@ -8,6 +8,10 @@ function make_mp3() $number = get_session("ss_captcha_key"); if ($number == "") return; + $ip = md5(sha1($_SERVER['REMOTE_ADDR'])); + if( $number && function_exists('get_string_decrypt') ){ + $number = str_replace($ip, '', get_string_decrypt($number)); + } if ($number == get_session("ss_captcha_save")) return; $mp3s = array(); @@ -16,7 +20,6 @@ function make_mp3() $mp3s[] = $file; } - $ip = md5(sha1($_SERVER['REMOTE_ADDR'])); $mp3_file = 'cache/kcaptcha-'.$ip.'_'.G5_SERVER_TIME.'.mp3'; $contents = ''; @@ -35,6 +38,9 @@ function make_mp3() } } + if( $number && function_exists('get_string_encrypt') ){ + $number = get_string_encrypt($ip.$number); + } set_session("ss_captcha_save", $number); return G5_DATA_URL.'/'.$mp3_file; diff --git a/plugin/kcaptcha/kcaptcha_result.php b/plugin/kcaptcha/kcaptcha_result.php index 0487fac3f..fe2f1fd90 100644 --- a/plugin/kcaptcha/kcaptcha_result.php +++ b/plugin/kcaptcha/kcaptcha_result.php @@ -9,5 +9,10 @@ if ($count >= 5) { // 설정값 이상이면 자동등록방지 입력 문자가 echo false; } else { set_session("ss_captcha_count", $count + 1); + + if( $captcha_key && function_exists('get_string_encrypt') ){ + $ip = md5(sha1($_SERVER['REMOTE_ADDR'])); + $captcha_key = get_string_encrypt($ip.$captcha_key); + } echo (get_session("ss_captcha_key") === $captcha_key) ? true : false; } \ No newline at end of file diff --git a/plugin/kcaptcha/kcaptcha_session.php b/plugin/kcaptcha/kcaptcha_session.php index e2cb80362..c9b527dd3 100644 --- a/plugin/kcaptcha/kcaptcha_session.php +++ b/plugin/kcaptcha/kcaptcha_session.php @@ -11,6 +11,11 @@ while(true){ if(!preg_match('/cp|cb|ck|c6|c9|rn|rm|mm|co|do|cl|db|qp|qb|dp|ww/', $keystring)) break; } +if( $keystring && function_exists('get_string_encrypt') ){ + $ip = md5(sha1($_SERVER['REMOTE_ADDR'])); + $keystring = get_string_encrypt($ip.$keystring); +} + set_session("ss_captcha_count", 0); set_session("ss_captcha_key", $keystring); $captcha = new KCAPTCHA(); diff --git a/plugin/social/Hybrid/Storage.php b/plugin/social/Hybrid/Storage.php index 16a2f6cb2..bc6e4f4ad 100644 --- a/plugin/social/Hybrid/Storage.php +++ b/plugin/social/Hybrid/Storage.php @@ -11,6 +11,7 @@ require_once realpath(dirname(__FILE__)) . "/StorageInterface.php"; * HybridAuth storage manager */ class Hybrid_Storage implements Hybrid_Storage_Interface { + public static $stores = array(); /** * Constructor @@ -37,11 +38,21 @@ class Hybrid_Storage implements Hybrid_Storage_Interface { $key = strtolower($key); if ($value) { - $_SESSION["HA::CONFIG"][$key] = serialize($value); + $serialize_value = function_exists('get_string_encrypt') ? get_string_encrypt(serialize($value)) : serialize($value); + + if( in_array($key, array('php_session_id', 'config')) ){ + $this->stores[$key] = $serialize_value; + } else { + $_SESSION["HA::CONFIG"][$key] = $serialize_value; + } + } elseif (isset($this->stores[$key])) { + $unserialize_value = function_exists('get_string_decrypt') ? unserialize(get_string_decrypt($this->stores[$key])) : unserialize($this->stores[$key]); + return $unserialize_value; } elseif (isset($_SESSION["HA::CONFIG"][$key])) { - return unserialize($_SESSION["HA::CONFIG"][$key]); + $unserialize_value = function_exists('get_string_decrypt') ? unserialize(get_string_decrypt($_SESSION["HA::CONFIG"][$key])) : unserialize($_SESSION["HA::CONFIG"][$key]); + return $unserialize_value; } - + return null; } @@ -55,7 +66,8 @@ class Hybrid_Storage implements Hybrid_Storage_Interface { $key = strtolower($key); if (isset($_SESSION["HA::STORE"], $_SESSION["HA::STORE"][$key])) { - return unserialize($_SESSION["HA::STORE"][$key]); + $unserialize_value = function_exists('get_string_decrypt') ? unserialize(get_string_decrypt($_SESSION["HA::STORE"][$key])) : unserialize($_SESSION["HA::STORE"][$key]); + return $unserialize_value; } return null; @@ -70,7 +82,8 @@ class Hybrid_Storage implements Hybrid_Storage_Interface { */ public function set($key, $value) { $key = strtolower($key); - $_SESSION["HA::STORE"][$key] = serialize($value); + $serialize_value = function_exists('get_string_encrypt') ? get_string_encrypt(serialize($value)) : serialize($value); + $_SESSION["HA::STORE"][$key] = $serialize_value; } /** @@ -138,4 +151,4 @@ class Hybrid_Storage implements Hybrid_Storage_Interface { $_SESSION["HA::STORE"] = unserialize($sessiondata); } -} +} \ No newline at end of file diff --git a/plugin/social/includes/functions.php b/plugin/social/includes/functions.php index fb8b11c4e..c7a8b45fd 100644 --- a/plugin/social/includes/functions.php +++ b/plugin/social/includes/functions.php @@ -391,7 +391,8 @@ function social_session_exists_check(){ } if( $provider_name && isset($_SESSION['HA::STORE']['hauth_session.'.strtolower($provider_name).'.is_logged_in']) && !empty($_SESSION['sl_userprofile'][$provider_name]) ){ - return json_decode($_SESSION['sl_userprofile'][$provider_name]); + $decode_value = function_exists('get_string_decrypt') ? json_decode(get_string_decrypt($_SESSION['sl_userprofile'][$provider_name])) : json_decode($_SESSION['sl_userprofile'][$provider_name]); + return $decode_value; } return false; @@ -485,8 +486,9 @@ function social_check_login_before($p_service=''){ $_SESSION['sl_userprofile'] = array(); } - if( ! $is_member ){ - $_SESSION['sl_userprofile'][$provider_name] = json_encode( $user_profile ); + if( ! $is_member ){ + $encode_value = function_exists('get_string_encrypt') ? get_string_encrypt(json_encode($user_profile)) : json_encode($user_profile); + $_SESSION['sl_userprofile'][$provider_name] = $encode_value; } } diff --git a/plugin/social/includes/g5_endpoint_class.php b/plugin/social/includes/g5_endpoint_class.php index 95d085b8d..b3d2432d8 100644 --- a/plugin/social/includes/g5_endpoint_class.php +++ b/plugin/social/includes/g5_endpoint_class.php @@ -3,6 +3,40 @@ if (!defined('_GNUBOARD_')) exit; class G5_Hybrid_Endpoint extends Hybrid_Endpoint { + protected function authInit() { + if (!$this->initDone) { + $this->initDone = true; + + // Init Hybrid_Auth + try { + if (!class_exists("Hybrid_Storage", false)) { + require_once realpath(dirname(dirname(__FILE__))). "/Hybrid/Storage.php"; + } + if (!class_exists("Hybrid_Exception", false)) { + require_once realpath(dirname(dirname(__FILE__))). "/Hybrid/Exception.php"; + } + if (!class_exists("Hybrid_Logger", false)) { + require_once realpath(dirname(dirname(__FILE__))). "/Hybrid/Logger.php"; + } + + $storage = new Hybrid_Storage(); + $provider_id = ucfirst(trim(strip_tags($this->request["hauth_start"]))); + if(!$provider_id) $provider_id = ucfirst(trim(strip_tags($this->request["hauth_done"]))); + + $storage->config("CONFIG", social_build_provider_config($provider_id)); + // Check if Hybrid_Auth session already exist + if (!$storage->config("CONFIG")) { + $this->dieError("CONFIG FAILED: ", "Unable to get config", array()); + } + + Hybrid_Auth::initialize($storage->config("CONFIG")); + } catch (Exception $e) { + Hybrid_Logger::error("Endpoint: Error while trying to init Hybrid_Auth: " . $e->getMessage()); + $this->dieError("Endpoint Error: ", $e->getMessage(), $e); + } + } + } + protected function processAuthStart(){ try { parent::processAuthStart();