[KVE-2020-0200,0202]그누보드,영카트 다중취약점 수정

gnuboard · Apr 23, 2020 · 4c41828 · 4c41828
1 parent 1dc7e56
commit 4c41828
Show file tree

Hide file tree

Showing 6 changed files with 31 additions and 6 deletions.
diff --git a/adm/admin.lib.php b/adm/admin.lib.php
@@ -477,7 +477,7 @@ function admin_check_xss_params($params){
 
         if( is_array($value) ){
             admin_check_xss_params($value);
-        } else if ( preg_match('/<\s?[^\>]*\/?\s?>/i', $value) && (preg_match('/script.*?\/script/ius', $value) || preg_match('/[onload|onerror]=.*/ius', $value)) ){
+        } else if ( (preg_match('/<\s?[^\>]*\/?\s?>/i', $value) && (preg_match('/script.*?\/script/ius', $value) || preg_match('/[onload|onerror]=.*/ius', $value))) || preg_match('/^(?=.*get_ajax_token\()(?=.*xmlhttprequest\()(?=.*send\().*$/im', $value) ){
             alert('요청 쿼리에 잘못된 스크립트문장이 있습니다.\\nXSS 공격일수도 있습니다.');
             die();
         }

diff --git a/adm/board_form.php b/adm/board_form.php
@@ -82,6 +82,7 @@
 
 $required = "";
 $readonly = "";
+$sound_only = "";
 if ($w == '') {
 
     $html_title .= ' 생성';

diff --git a/install/ajax.install.check.php b/install/ajax.install.check.php
@@ -15,6 +15,10 @@
     die(install_json_msg('프로그램이 이미 설치되어 있습니다.'));
 }
 
+if (preg_match("/[^0-9a-z_]+/i", $_POST['table_prefix']) ) {
+    die(install_json_msg('TABLE명 접두사는 영문자, 숫자, _ 만 입력하세요.'));
+}
+
 $mysql_host  = safe_install_string_check($_POST['mysql_host'], 'json');
 $mysql_user  = safe_install_string_check($_POST['mysql_user'], 'json');
 $mysql_pass  = safe_install_string_check($_POST['mysql_pass'], 'json');

diff --git a/install/install_config.php b/install/install_config.php
@@ -61,7 +61,7 @@
         <th scope="row"><label for="table_prefix">TABLE명 접두사</label></th>
         <td>
             <input name="table_prefix" type="text" value="g5_" id="table_prefix">
-            <span>가능한 변경하지 마십시오.</span>
+            <span>TABLE명 접두사는 영문자, 숫자, _ 만 입력 가능합니다.</span>
         </td>
     </tr>
     </tbody>

diff --git a/install/install_db.php b/install/install_db.php
@@ -33,6 +33,10 @@
 $admin_name  = $_POST['admin_name'];
 $admin_email = $_POST['admin_email'];
 
+if (preg_match("/[^0-9a-z_]+/i", $table_prefix) ) {
+    die('<div class="ins_inner"><p>TABLE명 접두사는 영문자, 숫자, _ 만 입력하세요.</p><div class="inner_btn"><a href="./install_config.php">뒤로가기</a></div></div>');
+}
+
 if (preg_match("/[^0-9a-z_]+/i", $admin_id)) {
     die('<div class="ins_inner"><p>관리자 아이디는 영문자, 숫자, _ 만 입력하세요.</p><div class="inner_btn"><a href="./install_config.php">뒤로가기</a></div></div>');
 }
@@ -340,10 +344,10 @@
 
 fwrite($f, "<?php\n");
 fwrite($f, "if (!defined('_GNUBOARD_')) exit;\n");
-fwrite($f, "define('G5_MYSQL_HOST', '{$mysql_host}');\n");
-fwrite($f, "define('G5_MYSQL_USER', '{$mysql_user}');\n");
-fwrite($f, "define('G5_MYSQL_PASSWORD', '{$mysql_pass}');\n");
-fwrite($f, "define('G5_MYSQL_DB', '{$mysql_db}');\n");
+fwrite($f, "define('G5_MYSQL_HOST', '".addcslashes($mysql_host, "\\'")."');\n");
+fwrite($f, "define('G5_MYSQL_USER', '".addcslashes($mysql_user, "\\'")."');\n");
+fwrite($f, "define('G5_MYSQL_PASSWORD', '".addcslashes($mysql_pass, "\\'")."');\n");
+fwrite($f, "define('G5_MYSQL_DB', '".addcslashes($mysql_db, "\\'")."');\n");
 fwrite($f, "define('G5_MYSQL_SET_MODE', {$mysql_set_mode});\n\n");
 fwrite($f, "define('G5_TABLE_PREFIX', '{$table_prefix}');\n\n");
 fwrite($f, "\$g5['write_prefix'] = G5_TABLE_PREFIX.'write_'; // 게시판 테이블명 접두사\n\n");

diff --git a/lib/common.lib.php b/lib/common.lib.php
@@ -3070,6 +3070,22 @@ function clean_xss_attributes($str)
     return $str;
 }
 
+function clean_relative_paths($path){
+    $path_len = strlen($path);
+
+    $i = 0;
+    while($i <= $path_len){
+        $result = str_replace('../', '', str_replace('\\', '/', $path));
+
+        if((string)$result === (string)$path) break;
+
+        $path = $result;
+        $i++;
+    }
+
+    return $path;
+}
+
 // unescape nl 얻기
 function conv_unescape_nl($str)
 {