[KVE-2020-0200,0202]영카트 다중취약점 수정

gnuboard · May 8, 2020 · 478dd0f · 478dd0f
1 parent f584c2b
commit 478dd0f
Show file tree

Hide file tree

Showing 4 changed files with 15 additions and 13 deletions.
diff --git a/adm/shop_admin/categoryform.php b/adm/shop_admin/categoryform.php
@@ -5,6 +5,8 @@
 
 auth_check($auth[$sub_menu], "w");
 
+$ca_id = isset($ca_id) ? preg_replace('/[^0-9a-z]/i', '', $ca_id) : '';
+
 $sql_common = " from {$g5['g5_shop_category_table']} ";
 if ($is_admin != 'super')
     $sql_common .= " where ca_mb_id = '{$member['mb_id']}' ";

diff --git a/adm/shop_admin/itemdelete.inc.php b/adm/shop_admin/itemdelete.inc.php
@@ -19,7 +19,7 @@ function itemdelete($it_id)
         // 상품 이미지 삭제
         $dir_list = array();
         for($i=1; $i<=10; $i++) {
-            $file = G5_DATA_PATH.'/item/'.$it['it_img'.$i];
+            $file = G5_DATA_PATH.'/item/'.clean_relative_paths($it['it_img'.$i]);
             if(is_file($file) && $it['it_img'.$i]) {
                 @unlink($file);
                 $dir = dirname($file);
@@ -78,9 +78,9 @@ function itemdelete($it_id)
             else
                 $data_path = $p['path'];
 
-            $destfile = G5_PATH.$data_path;
+            $destfile = G5_PATH.clean_relative_paths($data_path);
 
-            if(is_file($destfile))
+            if(is_file($destfile) && preg_match('/(\.(gif|jpe?g|png))$/i', $destfile))
                 @unlink($destfile);
         }
 
@@ -95,9 +95,9 @@ function itemdelete($it_id)
             else
                 $data_path = $p['path'];
 
-            $destfile = G5_PATH.$data_path;
+            $destfile = G5_PATH.clean_relative_paths($data_path);
 
-            if(is_file($destfile))
+            if(is_file($destfile) && preg_match('/(\.(gif|jpe?g|png))$/i', $destfile))
                 @unlink($destfile);
         }
         //------------------------------------------------------------------------

diff --git a/install/install_config.php b/install/install_config.php
@@ -67,7 +67,7 @@
     <tr>
         <th scope="row"><label for="">쇼핑몰TABLE명 접두사</label></th>
         <td>
-            <span>가능한 변경하지 마십시오.</span>
+            <span>쇼핑몰TABLE명 접두사는 영문자, 숫자, _ 만 입력 가능합니다.</span>
             <input name="g5_shop_prefix" type="text" value="g5_shop_" id="g5_shop_prefix">
         </td>
     </tr>

diff --git a/install/install_db.php b/install/install_db.php
@@ -23,22 +23,22 @@
 
 //print_r($_POST); exit;
 
-$mysql_host  = $_POST['mysql_host'];
-$mysql_user  = $_POST['mysql_user'];
-$mysql_pass  = $_POST['mysql_pass'];
-$mysql_db    = $_POST['mysql_db'];
-$table_prefix= $_POST['table_prefix'];
+$mysql_host  = safe_install_string_check($_POST['mysql_host']);
+$mysql_user  = safe_install_string_check($_POST['mysql_user']);
+$mysql_pass  = safe_install_string_check($_POST['mysql_pass']);
+$mysql_db    = safe_install_string_check($_POST['mysql_db']);
+$table_prefix= safe_install_string_check($_POST['table_prefix']);
 $admin_id    = $_POST['admin_id'];
 $admin_pass  = $_POST['admin_pass'];
 $admin_name  = $_POST['admin_name'];
 $admin_email = $_POST['admin_email'];
 $g5_install = 0;
 if (isset($_POST['g5_install']))
     $g5_install  = $_POST['g5_install'];
-$g5_shop_prefix = $_POST['g5_shop_prefix'];
+$g5_shop_prefix = safe_install_string_check($_POST['g5_shop_prefix']);
 $g5_shop_install= $_POST['g5_shop_install'];
 
-if (preg_match("/[^0-9a-z_]+/i", $table_prefix) ) {
+if (preg_match("/[^0-9a-z_]+/i", $table_prefix) || preg_match("/[^0-9a-z_]+/i", $g5_shop_prefix)) {
     die('<div class="ins_inner"><p>TABLE명 접두사는 영문자, 숫자, _ 만 입력하세요.</p><div class="inner_btn"><a href="./install_config.php">뒤로가기</a></div></div>');
 }