[KVE-2025-0191] Stored XSS (bypass html_purify via Open Redirect) 취약점 수정

2025-04-17 16:04:01 +09:00
parent ada8f28aae
commit f9c972d866
2 changed files with 30 additions and 0 deletions
--- a/lib/common.lib.php
+++ b/lib/common.lib.php
@ -685,6 +685,10 @@ function html_purifier($html)
    )
    );

+    // 커스텀 URI 필터 등록
+    $def = $config->getDefinition('URI', true); // URI 정의 가져오기
+    $def->addFilter(new HTMLPurifierContinueParamFilter(), $config); // 커스텀 필터 추가
+
    $purifier = new HTMLPurifier($config);

    return run_replace('html_purifier_result', $purifier->purify($html), $purifier, $html);
--- a/plugin/htmlpurifier/extend.video.php
+++ b/plugin/htmlpurifier/extend.video.php
@ -77,4 +77,30 @@ if( !class_exists('HTMLPurifier_Filter_Iframevideo') ){
 			}
 		}
 	}
+}
+
+if( !class_exists('HTMLPurifierContinueParamFilter') ){
+	class HTMLPurifierContinueParamFilter extends HTMLPurifier_URIFilter
+	{
+		public $name = 'ContinueParamFilter';
+        
+        public function filter(&$uri, $config, $context)
+        {
+            // 쿼리 파라미터 검사
+            $query = $uri->query;
+            $path = $uri->path;
+            
+            if ($path && preg_match('#[\\\\/]logout#i', $path)) {
+                return false;
+            }
+            
+            if ($query) {
+                if (isset($query_params['continue'])) {
+                    return false;
+                }
+            }
+
+            return true; // 조건 통과 시 허용
+        }
+	}
 }