diff --git a/adm/admin.lib.php b/adm/admin.lib.php index 8df3ba958..7b5125e8c 100644 --- a/adm/admin.lib.php +++ b/adm/admin.lib.php @@ -379,6 +379,47 @@ function get_sanitize_input($s, $is_html=false){ return $s; } +function check_log_folder($log_path){ + + if( is_writable($log_path) ){ + + // 아파치 서버인 경우 웹에서 해당 폴더 접근 막기 + $htaccess_file = $log_path.'/.htaccess'; + if ( !file_exists( $htaccess_file ) ) { + if ( $handle = @fopen( $htaccess_file, 'w' ) ) { + fwrite( $handle, 'Order deny,allow' . "\n" ); + fwrite( $handle, 'Deny from all' . "\n" ); + fclose( $handle ); + } + } + + // 아파치 서버인 경우 해당 디렉토리 파일 목록 안보이게 하기 + $index_file = $log_path . '/index.php'; + if ( !file_exists( $index_file ) ) { + if ( $handle = @fopen( $index_file, 'w' ) ) { + fwrite( $handle, '' ); + fclose( $handle ); + } + } + } + + // txt 파일과 log 파일을 조회하여 30일이 지난 파일은 삭제합니다. + $txt_files = glob($log_path.'/*.txt'); + $log_files = glob($log_path.'/*.log'); + + $del_files = array_merge($txt_files, $log_files); + + if( $del_files && is_array($del_files) ){ + foreach ($del_files as $del_file) { + $filetime = filemtime($del_file); + // 30일이 지난 파일을 삭제 + if($filetime && $filetime < (G5_SERVER_TIME - 2592000)) { + @unlink($del_file); + } + } + } +} + // POST로 넘어온 토큰과 세션에 저장된 토큰 비교 function check_admin_token() { diff --git a/adm/sms_admin/emoticon_move_update.php b/adm/sms_admin/emoticon_move_update.php index aa1227f6a..8fe03b539 100644 --- a/adm/sms_admin/emoticon_move_update.php +++ b/adm/sms_admin/emoticon_move_update.php @@ -6,6 +6,8 @@ auth_check($auth[$sub_menu], "r"); if(!count($_POST['chk_fg_no'])) alert('이모티콘을 이동할 그룹을 한개 이상 선택해 주십시오.', $url); +$fo_no_list = preg_replace('/[^a-zA-Z0-9\, ]/', '', $fo_no_list); + $sql = "select * from {$g5['sms5_form_table']} where fo_no in ($fo_no_list) order by fo_no desc "; $result = sql_query($sql); $save = array(); diff --git a/adm/sms_admin/history_num.php b/adm/sms_admin/history_num.php index 530cfcdcd..f53dfb407 100644 --- a/adm/sms_admin/history_num.php +++ b/adm/sms_admin/history_num.php @@ -16,6 +16,10 @@ if ($st && trim($sv)) else $sql_search = ""; +if( isset($st) && !in_array($st, array('hs_name', 'hs_hp', 'bk_no')) ){ + $st = ''; +} + $total_res = sql_fetch("select count(*) as cnt from {$g5['sms5_history_table']} where 1 $sql_search"); $total_count = $total_res['cnt']; diff --git a/adm/sms_admin/history_view.php b/adm/sms_admin/history_view.php index 2fd9d1b0c..498d7fe03 100644 --- a/adm/sms_admin/history_view.php +++ b/adm/sms_admin/history_view.php @@ -8,6 +8,10 @@ $colspan = 10; $st = isset($st) ? strip_tags($st) : ''; $ssv = isset($ssv) ? strip_tags($ssv) : ''; +if( $st && !in_array($st, array('hs_name', 'hs_hp', 'bk_no')) ){ + $st = ''; +} + auth_check($auth[$sub_menu], "r"); $g5['title'] = "문자전송 상세내역"; diff --git a/adm/sms_admin/num_book_move.php b/adm/sms_admin/num_book_move.php index 0097f9150..f69248d89 100644 --- a/adm/sms_admin/num_book_move.php +++ b/adm/sms_admin/num_book_move.php @@ -31,8 +31,8 @@ for ($i=0; $row=sql_fetch_array($result); $i++)
- - + +
diff --git a/adm/sms_admin/number_move_update.php b/adm/sms_admin/number_move_update.php index ad24a7010..76ad32fcb 100644 --- a/adm/sms_admin/number_move_update.php +++ b/adm/sms_admin/number_move_update.php @@ -6,6 +6,8 @@ auth_check($auth[$sub_menu], "r"); if(!count($_POST['chk_bg_no'])) alert('번호를 '.$act.'할 그룹을 한개 이상 선택해 주십시오.', $url); +$bk_no_list = preg_replace('/[^a-zA-Z0-9\, ]/', '', $bk_no_list); + $sql = "select * from {$g5['sms5_book_table']} where bk_no in ($bk_no_list) order by bk_no desc "; $result = sql_query($sql); $save = array(); diff --git a/bbs/move_update.php b/bbs/move_update.php index fd48087fe..d956ff0d7 100644 --- a/bbs/move_update.php +++ b/bbs/move_update.php @@ -125,7 +125,7 @@ while ($row = sql_fetch_array($result)) // 제이프로님 코드제안 적용 $copy_file_name = ($bo_table !== $move_bo_table) ? $row3['bf_file'] : $row2['wr_id'].'_copy_'.$insert_id.'_'.$row3['bf_file']; @copy($src_dir.'/'.$row3['bf_file'], $dst_dir.'/'.$copy_file_name); - @chmod($dst_dir/$row3['bf_file'], G5_FILE_PERMISSION); + @chmod($dst_dir.'/'.$row3['bf_file'], G5_FILE_PERMISSION); } $sql = " insert into {$g5['board_file_table']} diff --git a/config.php b/config.php index a5915741f..639ef70ff 100644 --- a/config.php +++ b/config.php @@ -5,7 +5,7 @@ ********************/ define('G5_VERSION', '그누보드5'); -define('G5_GNUBOARD_VER', '5.3.2.3'); +define('G5_GNUBOARD_VER', '5.3.2.4'); define('G5_YOUNGCART_VER', '5.3.2.3'); // 이 상수가 정의되지 않으면 각각의 개별 페이지는 별도로 실행될 수 없음 diff --git a/lib/common.lib.php b/lib/common.lib.php index be838b2fe..d2a0d53ff 100644 --- a/lib/common.lib.php +++ b/lib/common.lib.php @@ -3504,8 +3504,10 @@ function is_include_path_check($path='', $is_input='') { if( $path ){ if ($is_input){ + // 장태진 @jtjisgod 추가 + // 보안 목적 : rar wrapper 차단 - if( stripos($path, 'php:') !== false || stripos($path, 'zlib:') !== false || stripos($path, 'bzip2:') !== false || stripos($path, 'zip:') !== false || stripos($path, 'data:') !== false || stripos($path, 'phar:') !== false ){ + if( stripos($path, 'rar:') !== false || stripos($path, 'php:') !== false || stripos($path, 'zlib:') !== false || stripos($path, 'bzip2:') !== false || stripos($path, 'zip:') !== false || stripos($path, 'data:') !== false || stripos($path, 'phar:') !== false ){ return false; } diff --git a/plugin/lgxpay/lgdacom/XPayClient.php b/plugin/lgxpay/lgdacom/XPayClient.php index 177d0becc..07543e50a 100644 --- a/plugin/lgxpay/lgdacom/XPayClient.php +++ b/plugin/lgxpay/lgdacom/XPayClient.php @@ -143,7 +143,7 @@ class XPayClient // log_dir 재설정 $this->config["log_dir"] = $home_dir."/log"; - $this->log_file = $this->config["log_dir"] . "/log_" . date("Ymd") . ".log"; + $this->log_file = $this->config["log_dir"] . "/log_" . date("Ymd") . '_' . substr(md5(mt_rand()), 0, 12) . ".log"; // make log directory if does not exist if (!file_exists($this->config["log_dir"])) { mkdir($this->config["log_dir"], "0777", true); @@ -604,6 +604,10 @@ class XPayClient function Log($msg, $level=LGD_LOG_FATAL) { + if( !(defined('LGD_LOG_SAVE') && LGD_LOG_SAVE) ){ + return; + } + if ($level > $this->config["log_level"]) return; $err_msg = date("Y-m-d H:i:s")." [".$this->err_label[$level]."] [".$this->TX_ID."] ".$msg."\n"; diff --git a/plugin/lgxpay/lgdacom/XPayClient4DB.php b/plugin/lgxpay/lgdacom/XPayClient4DB.php index c657d68ea..b330656b1 100644 --- a/plugin/lgxpay/lgdacom/XPayClient4DB.php +++ b/plugin/lgxpay/lgdacom/XPayClient4DB.php @@ -141,7 +141,7 @@ class XPayClient $array3 = array($mid => $mertkey); $this->config = $array1 + $array2 + $array3; - $this->log_file = $this->config["log_dir"] . "/log_" . date("Ymd") . ".log"; + $this->log_file = $this->config["log_dir"] . "/log_" . date("Ymd") . '_' . substr(md5(mt_rand()), 0, 12) . ".log"; // make log directory if does not exist if (!file_exists($this->config["log_dir"])) { mkdir($this->config["log_dir"], "0777", true); @@ -602,6 +602,10 @@ class XPayClient function Log($msg, $level=LGD_LOG_FATAL) { + if( !(defined('LGD_LOG_SAVE') && LGD_LOG_SAVE) ){ + return; + } + if ($level > $this->config["log_level"]) return; $err_msg = date("Y-m-d H:i:s")." [".$this->err_label[$level]."] [".$this->TX_ID."] ".$msg."\n";