XEVE-19-008 URL 필터링 및 cache 파일 처리 개선

classes/context/Context.class.php

@@ -1409,33 +1409,52 @@ function _filterRequestVar($key, $val, $do_stripslashes = true, $remove_hack = f
 		foreach($val as $k => $v)
 		{
 			$k = escape($k);
+			$result[$k] = $v;
 
-			if($remove_hack && !is_array($v)) {
-				if(stripos($v, '<script') || stripos($v, 'lt;script') || stripos($v, '%3Cscript'))
+			if($remove_hack && !is_array($result[$k])) {
+				if(stripos($result[$k], '<script') || stripos($result[$k], 'lt;script') || stripos($result[$k], '%3Cscript'))
 				{
-					$result[$k] = escape($v);
-					continue;
+					$result[$k] = escape($result[$k]);
 				}
 			}
 
 			if($key === 'page' || $key === 'cpage' || substr_compare($key, 'srl', -3) === 0)
 			{
-				$result[$k] = !preg_match('/^[0-9,]+$/', $v) ? (int) $v : $v;
+				$result[$k] = !preg_match('/^[0-9,]+$/', $result[$k]) ? (int) $result[$k] : $result[$k];
 			}
 			elseif(in_array($key, array('mid','search_keyword','search_target','xe_validator_id'))) {
-				$result[$k] = escape($v, false);
+				$result[$k] = escape($result[$k], false);
 			}
 			elseif($key === 'vid')
 			{
-				$result[$k] = urlencode($v);
+				$result[$k] = urlencode($result[$k]);
 			}
 			elseif(stripos($key, 'XE_VALIDATOR', 0) === 0)
 			{
 				unset($result[$k]);
 			}
 			else
 			{
-				$result[$k] = $v;
+				if(in_array($k, array(
+					'act',
+					'addon',
+					'cur_mid',
+					'full_browse',
+					'http_status_message',
+					'l',
+					'layout',
+					'm',
+					'mid',
+					'module',
+					'selected_addon',
+					'selected_layout',
+					'selected_widget',
+					'widget',
+					'widgetstyle',
+				)))
+				{
+					$result[$k] = urlencode(preg_replace("/[^a-z0-9-_]+/i", '', $result[$k]));
+				}
 
 				if($do_stripslashes && version_compare(PHP_VERSION, '5.4.0', '<') && get_magic_quotes_gpc())
 				{

classes/file/FileHandler.class.php

@@ -281,6 +281,8 @@ function readDir($path, $filter = '', $to_lower = FALSE, $concat_prefix = FALSE)
 	 */
 	function makeDir($path_string)
 	{
+		$path_string = preg_replace("/[^a-z0-9-_\\\\\/\.]+/i", '', $path_string);
+		$path_string = self::getRealPath($path_string);
 		if(self::exists($path_string) !== FALSE)
 		{
 			return TRUE;

modules/editor/editor.model.php

@@ -141,24 +141,24 @@ function getDrComponentXmlInfo($drComponentName)
 		$component_info->license_link = $xml_doc->component->license->attrs->link;
 
 		$buff = '<?php if(!defined("__XE__")) exit(); ';
-		$buff .= sprintf('$xml_info->component_name = "%s";', $component_info->component_name);
-		$buff .= sprintf('$xml_info->title = "%s";', $component_info->title);
-		$buff .= sprintf('$xml_info->description = "%s";', $component_info->description);
-		$buff .= sprintf('$xml_info->version = "%s";', $component_info->version);
-		$buff .= sprintf('$xml_info->date = "%s";', $component_info->date);
-		$buff .= sprintf('$xml_info->homepage = "%s";', $component_info->homepage);
-		$buff .= sprintf('$xml_info->license = "%s";', $component_info->license);
-		$buff .= sprintf('$xml_info->license_link = "%s";', $component_info->license_link);
+		$buff .= sprintf('$xml_info->component_name = %s;', var_export($component_info->component_name, true));
+		$buff .= sprintf('$xml_info->title = %s;', var_export($component_info->title, true));
+		$buff .= sprintf('$xml_info->description = %s;', var_export($component_info->description, true));
+		$buff .= sprintf('$xml_info->version = %s;', var_export($component_info->version, true));
+		$buff .= sprintf('$xml_info->date = %s;', var_export($component_info->date, true));
+		$buff .= sprintf('$xml_info->homepage = %s;', var_export($component_info->homepage, true));
+		$buff .= sprintf('$xml_info->license = %s;', var_export($component_info->license, true));
+		$buff .= sprintf('$xml_info->license_link = %s;', var_export($component_info->license_link, true));
 
 		// Author information
 		if(!is_array($xml_doc->component->author)) $author_list[] = $xml_doc->component->author;
 		else $author_list = $xml_doc->component->author;
 
 		for($i=0; $i < count($author_list); $i++)
 		{
-			$buff .= sprintf('$xml_info->author['.$i.']->name = "%s";', $author_list[$i]->name->body);
-			$buff .= sprintf('$xml_info->author['.$i.']->email_address = "%s";', $author_list[$i]->attrs->email_address);
-			$buff .= sprintf('$xml_info->author['.$i.']->homepage = "%s";', $author_list[$i]->attrs->link);
+			$buff .= sprintf('$xml_info->author['.$i.']->name = %s;', var_export($author_list[$i]->name->body, true));
+			$buff .= sprintf('$xml_info->author['.$i.']->email_address = %s;', var_export($author_list[$i]->attrs->email_address, true));
+			$buff .= sprintf('$xml_info->author['.$i.']->homepage = %s;', var_export($author_list[$i]->attrs->link, true));
 		}
 
 		// List extra variables (text type only in the editor component)
@@ -175,8 +175,8 @@ function getDrComponentXmlInfo($drComponentName)
 				$xml_info->extra_vars->{$key}->title = $title;
 				$xml_info->extra_vars->{$key}->description = $description;
 
-				$buff .= sprintf('$xml_info->extra_vars->%s->%s = "%s";', $key, 'title', $title);
-				$buff .= sprintf('$xml_info->extra_vars->%s->%s = "%s";', $key, 'description', $description);
+				$buff .= sprintf('$xml_info->extra_vars->%s->%s = %s;', $key, 'title', var_export($title));
+				$buff .= sprintf('$xml_info->extra_vars->%s->%s = %s;', $key, 'description', var_export($description));
 			}
 		}
 

modules/layout/layout.model.php

@@ -518,26 +518,26 @@ function getLayoutInfo($layout, $info = null, $layout_type = "P")
 
 		$buff = array();
 		$buff[] = '$layout_info = new stdClass;';
-		$buff[] = sprintf('$layout_info->site_srl = "%s";', $site_srl);
+		$buff[] = sprintf('$layout_info->site_srl = %d;', $site_srl);
 
 		if($xml_obj->version && $xml_obj->attrs->version == '0.2')
 		{
 			// Layout title, version and other information
 			sscanf($xml_obj->date->body, '%d-%d-%d', $date_obj->y, $date_obj->m, $date_obj->d);
 			$date = sprintf('%04d%02d%02d', $date_obj->y, $date_obj->m, $date_obj->d);
-			$buff[] = sprintf('$layout_info->layout = "%s";', $layout);
-			$buff[] = sprintf('$layout_info->type = "%s";', $xml_obj->attrs->type);
-			$buff[] = sprintf('$layout_info->path = "%s";', $layout_path);
-			$buff[] = sprintf('$layout_info->title = "%s";', $xml_obj->title->body);
-			$buff[] = sprintf('$layout_info->description = "%s";', $xml_obj->description->body);
-			$buff[] = sprintf('$layout_info->version = "%s";', $xml_obj->version->body);
-			$buff[] = sprintf('$layout_info->date = "%s";', $date);
-			$buff[] = sprintf('$layout_info->homepage = "%s";', $xml_obj->link->body);
+			$buff[] = sprintf('$layout_info->layout = %s;', var_export($layout, true));
+			$buff[] = sprintf('$layout_info->type = %s;', var_export($xml_obj->attrs->type, true));
+			$buff[] = sprintf('$layout_info->path = %s;', var_export($layout_path, true));
+			$buff[] = sprintf('$layout_info->title = %s;', var_export($xml_obj->title->body, true));
+			$buff[] = sprintf('$layout_info->description = %s;', var_export($xml_obj->description->body, true));
+			$buff[] = sprintf('$layout_info->version = %s;', var_export($xml_obj->version->body, true));
+			$buff[] = sprintf('$layout_info->date = %s;', var_export($date, true));
+			$buff[] = sprintf('$layout_info->homepage = %s;', var_export($xml_obj->link->body, true));
 			$buff[] = sprintf('$layout_info->layout_srl = $layout_srl;');
 			$buff[] = sprintf('$layout_info->layout_title = $layout_title;');
-			$buff[] = sprintf('$layout_info->license = "%s";', $xml_obj->license->body);
-			$buff[] = sprintf('$layout_info->license_link = "%s";', $xml_obj->license->attrs->link);
-			$buff[] = sprintf('$layout_info->layout_type = "%s";', $layout_type);
+			$buff[] = sprintf('$layout_info->license = %s;', var_export($xml_obj->license->body, true));
+			$buff[] = sprintf('$layout_info->license_link = %s;', var_export($xml_obj->license->attrs->link, true));
+			$buff[] = sprintf('$layout_info->layout_type = %s;', var_export($layout_type, true));
 
 			// Author information
 			if(!is_array($xml_obj->author)) $author_list[] = $xml_obj->author;
@@ -547,9 +547,9 @@ function getLayoutInfo($layout, $info = null, $layout_type = "P")
 			for($i=0, $c=count($author_list); $i<$c; $i++)
 			{
 				$buff[] = sprintf('$layout_info->author[%d] = new stdClass;', $i);
-				$buff[] = sprintf('$layout_info->author[%d]->name = "%s";', $i, $author_list[$i]->name->body);
-				$buff[] = sprintf('$layout_info->author[%d]->email_address = "%s";', $i, $author_list[$i]->attrs->email_address);
-				$buff[] = sprintf('$layout_info->author[%d]->homepage = "%s";', $i, $author_list[$i]->attrs->link);
+				$buff[] = sprintf('$layout_info->author[%d]->name = %s;', $i, var_export($author_list[$i]->name->body, true));
+				$buff[] = sprintf('$layout_info->author[%d]->email_address = %s;', $i, var_export($author_list[$i]->attrs->email_address, true));
+				$buff[] = sprintf('$layout_info->author[%d]->homepage = %s;', $i, var_export($author_list[$i]->attrs->link, true));
 			}
 
 			// Extra vars (user defined variables to use in a template)
@@ -576,11 +576,11 @@ function getLayoutInfo($layout, $info = null, $layout_type = "P")
 						$name = $var->attrs->name;
 
 						$buff[] = sprintf('$layout_info->extra_var->%s = new stdClass;', $name);
-						$buff[] = sprintf('$layout_info->extra_var->%s->group = "%s";', $name, $group->title->body);
-						$buff[] = sprintf('$layout_info->extra_var->%s->title = "%s";', $name, $var->title->body);
-						$buff[] = sprintf('$layout_info->extra_var->%s->type = "%s";', $name, $var->attrs->type);
+						$buff[] = sprintf('$layout_info->extra_var->%s->group = %s;', $name, var_export($group->title->body, true));
+						$buff[] = sprintf('$layout_info->extra_var->%s->title = %s;', $name, var_export($var->title->body, true));
+						$buff[] = sprintf('$layout_info->extra_var->%s->type = %s;', $name, var_export($var->attrs->type, true));
 						$buff[] = sprintf('$layout_info->extra_var->%s->value = $vars->%s;', $name, $name);
-						$buff[] = sprintf('$layout_info->extra_var->%s->description = "%s";', $name, str_replace('"','\"',$var->description->body));
+						$buff[] = sprintf('$layout_info->extra_var->%s->description = %s;', $name, var_export($var->description->body, true));
 
 						$options = $var->options;
 						if(!$options) continue;
@@ -591,44 +591,44 @@ function getLayoutInfo($layout, $info = null, $layout_type = "P")
 						$thumbnail_exist = false;
 						for($j=0; $j < $options_count; $j++)
 						{
-							$buff[] = sprintf('$layout_info->extra_var->%s->options["%s"] = new stdClass;', $var->attrs->name, $options[$j]->attrs->value);
+							$buff[] = sprintf('$layout_info->extra_var->%s->options[%s] = new stdClass;', $var->attrs->name, var_export($options[$j]->attrs->value, true));
 							$thumbnail = $options[$j]->attrs->src;
 							if($thumbnail)
 							{
 								$thumbnail = $layout_path.$thumbnail;
 								if(file_exists($thumbnail))
 								{
-									$buff[] = sprintf('$layout_info->extra_var->%s->options["%s"]->thumbnail = "%s";', $var->attrs->name, $options[$j]->attrs->value, $thumbnail);
+									$buff[] = sprintf('$layout_info->extra_var->%s->options[%s]->thumbnail = %s;', $var->attrs->name, var_export($options[$j]->attrs->value, true), var_export($thumbnail, true));
 									if(!$thumbnail_exist)
 									{
 										$buff[] = sprintf('$layout_info->extra_var->%s->thumbnail_exist = true;', $var->attrs->name);
 										$thumbnail_exist = true;
 									}
 								}
 							}
-							$buff[] = sprintf('$layout_info->extra_var->%s->options["%s"]->val = "%s";', $var->attrs->name, $options[$j]->attrs->value, $options[$j]->title->body);
+							$buff[] = sprintf('$layout_info->extra_var->%s->options[%s]->val = %s;', $var->attrs->name, var_export($options[$j]->attrs->value, true), var_export($options[$j]->title->body, true));
 						}
 					}
 				}
 			}
-			$buff[] = sprintf('$layout_info->extra_var_count = "%s";', $extra_var_count);
+			$buff[] = sprintf('$layout_info->extra_var_count = %d;', $extra_var_count);
 			// Menu
 			if($xml_obj->menus->menu)
 			{
 				$menus = $xml_obj->menus->menu;
 				if(!is_array($menus)) $menus = array($menus);
 
 				$menu_count = count($menus);
-				$buff[] = sprintf('$layout_info->menu_count = "%s";', $menu_count);
+				$buff[] = sprintf('$layout_info->menu_count = %d;', $menu_count);
 				$buff[] = '$layout_info->menu = new stdClass;';
 				for($i=0;$i<$menu_count;$i++)
 				{
 					$name = $menus[$i]->attrs->name;
-					if($menus[$i]->attrs->default == "true") $buff[] = sprintf('$layout_info->default_menu = "%s";', $name);
+					if($menus[$i]->attrs->default == "true") $buff[] = sprintf('$layout_info->default_menu = %s;', var_export($name, true));
 					$buff[] = sprintf('$layout_info->menu->%s = new stdClass;', $name);
-					$buff[] = sprintf('$layout_info->menu->%s->name = "%s";',$name, $menus[$i]->attrs->name);
-					$buff[] = sprintf('$layout_info->menu->%s->title = "%s";',$name, $menus[$i]->title->body);
-					$buff[] = sprintf('$layout_info->menu->%s->maxdepth = "%s";',$name, $menus[$i]->attrs->maxdepth);
+					$buff[] = sprintf('$layout_info->menu->%s->name = %s;',$name, var_export($menus[$i]->attrs->name, true));
+					$buff[] = sprintf('$layout_info->menu->%s->title = %s;',$name, var_export($menus[$i]->title->body, true));
+					$buff[] = sprintf('$layout_info->menu->%s->maxdepth = %s;',$name, var_export($menus[$i]->attrs->maxdepth, true));
 
 					$buff[] = sprintf('$layout_info->menu->%s->menu_srl = $vars->%s;', $name, $name);
 					$buff[] = sprintf('$layout_info->menu->%s->xml_file = "./files/cache/menu/".$vars->%s.".xml.php";',$name, $name);
@@ -641,18 +641,18 @@ function getLayoutInfo($layout, $info = null, $layout_type = "P")
 			// Layout title, version and other information
 			sscanf($xml_obj->author->attrs->date, '%d. %d. %d', $date_obj->y, $date_obj->m, $date_obj->d);
 			$date = sprintf('%04d%02d%02d', $date_obj->y, $date_obj->m, $date_obj->d);
-			$buff[] = sprintf('$layout_info->layout = "%s";', $layout);
-			$buff[] = sprintf('$layout_info->path = "%s";', $layout_path);
-			$buff[] = sprintf('$layout_info->title = "%s";', $xml_obj->title->body);
-			$buff[] = sprintf('$layout_info->description = "%s";', $xml_obj->author->description->body);
-			$buff[] = sprintf('$layout_info->version = "%s";', $xml_obj->attrs->version);
-			$buff[] = sprintf('$layout_info->date = "%s";', $date);
+			$buff[] = sprintf('$layout_info->layout = %s;', var_export($layout, true));
+			$buff[] = sprintf('$layout_info->path = %s;', var_export($layout_path, true));
+			$buff[] = sprintf('$layout_info->title = %s;', var_export($xml_obj->title->body, true));
+			$buff[] = sprintf('$layout_info->description = %s;', var_export($xml_obj->author->description->body, true));
+			$buff[] = sprintf('$layout_info->version = %s;', var_export($xml_obj->attrs->version, true));
+			$buff[] = sprintf('$layout_info->date = %s;', var_export($date, true));
 			$buff[] = sprintf('$layout_info->layout_srl = $layout_srl;');
 			$buff[] = sprintf('$layout_info->layout_title = $layout_title;');
 			// Author information
-			$buff[] = sprintf('$layout_info->author[0]->name = "%s";', $xml_obj->author->name->body);
-			$buff[] = sprintf('$layout_info->author[0]->email_address = "%s";', $xml_obj->author->attrs->email_address);
-			$buff[] = sprintf('$layout_info->author[0]->homepage = "%s";', $xml_obj->author->attrs->link);
+			$buff[] = sprintf('$layout_info->author[0]->name = %s;', var_export($xml_obj->author->name->body, true));
+			$buff[] = sprintf('$layout_info->author[0]->email_address = %s;', var_export($xml_obj->author->attrs->email_address, true));
+			$buff[] = sprintf('$layout_info->author[0]->homepage = %s;', var_export($xml_obj->author->attrs->link, true));
 			// Extra vars (user defined variables to use in a template)
 			$extra_var_groups = $xml_obj->extra_vars->group;
 			if(!$extra_var_groups) $extra_var_groups = $xml_obj->extra_vars;
@@ -666,18 +666,18 @@ function getLayoutInfo($layout, $info = null, $layout_type = "P")
 
 					$extra_var_count = count($extra_vars);
 
-					$buff[] = sprintf('$layout_info->extra_var_count = "%s";', $extra_var_count);
+					$buff[] = sprintf('$layout_info->extra_var_count = %d;', $extra_var_count);
 					for($i=0;$i<$extra_var_count;$i++)
 					{
 						unset($var, $options);
 						$var = $extra_vars[$i];
 						$name = $var->attrs->name;
 
-						$buff[] = sprintf('$layout_info->extra_var->%s->group = "%s";', $name, $group->title->body);
-						$buff[] = sprintf('$layout_info->extra_var->%s->title = "%s";', $name, $var->title->body);
-						$buff[] = sprintf('$layout_info->extra_var->%s->type = "%s";', $name, $var->attrs->type);
+						$buff[] = sprintf('$layout_info->extra_var->%s->group = %s;', $name, var_export($group->title->body, true));
+						$buff[] = sprintf('$layout_info->extra_var->%s->title = %s;', $name, var_export($var->title->body, true));
+						$buff[] = sprintf('$layout_info->extra_var->%s->type = %s;', $name, var_export($var->attrs->type, true));
 						$buff[] = sprintf('$layout_info->extra_var->%s->value = $vars->%s;', $name, $name);
-						$buff[] = sprintf('$layout_info->extra_var->%s->description = "%s";', $name, str_replace('"','\"',$var->description->body));
+						$buff[] = sprintf('$layout_info->extra_var->%s->description = %s;', $name, var_export($var->description->body, true));
 
 						$options = $var->options;
 						if(!$options) continue;
@@ -686,7 +686,7 @@ function getLayoutInfo($layout, $info = null, $layout_type = "P")
 						$options_count = count($options);
 						for($j=0;$j<$options_count;$j++)
 						{
-							$buff[] = sprintf('$layout_info->extra_var->%s->options["%s"]->val = "%s";', $var->attrs->name, $options[$j]->value->body, $options[$j]->title->body);
+							$buff[] = sprintf('$layout_info->extra_var->%s->options[%s]->val = %s;', $var->attrs->name, var_export($options[$j]->value->body, true), var_export($options[$j]->title->body, true));
 						}
 					}
 				}
@@ -698,14 +698,14 @@ function getLayoutInfo($layout, $info = null, $layout_type = "P")
 				if(!is_array($menus)) $menus = array($menus);
 
 				$menu_count = count($menus);
-				$buff[] = sprintf('$layout_info->menu_count = "%s";', $menu_count);
+				$buff[] = sprintf('$layout_info->menu_count = %d;', $menu_count);
 				for($i=0;$i<$menu_count;$i++)
 				{
 					$name = $menus[$i]->attrs->name;
-					if($menus[$i]->attrs->default == "true") $buff[] = sprintf('$layout_info->default_menu = "%s";', $name);
-					$buff[] = sprintf('$layout_info->menu->%s->name = "%s";',$name, $name);
-					$buff[] = sprintf('$layout_info->menu->%s->title = "%s";',$name, $menus[$i]->title->body);
-					$buff[] = sprintf('$layout_info->menu->%s->maxdepth = "%s";',$name, $menus[$i]->maxdepth->body);
+					if($menus[$i]->attrs->default == "true") $buff[] = sprintf('$layout_info->default_menu = %s;', var_export($name, true));
+					$buff[] = sprintf('$layout_info->menu->%s->name = %s;',$name, var_export($name, true));
+					$buff[] = sprintf('$layout_info->menu->%s->title = %s;',$name, var_export($menus[$i]->title->body, true));
+					$buff[] = sprintf('$layout_info->menu->%s->maxdepth = %s;',$name, var_export($menus[$i]->maxdepth->body, true));
 					$buff[] = sprintf('$layout_info->menu->%s->menu_srl = $vars->%s;', $name, $name);
 					$buff[] = sprintf('$layout_info->menu->%s->xml_file = "./files/cache/menu/".$vars->%s.".xml.php";',$name, $name);
 					$buff[] = sprintf('$layout_info->menu->%s->php_file = "./files/cache/menu/".$vars->%s.".php";',$name, $name);

modules/module/module.view.php

@@ -22,7 +22,7 @@ function init()
 	function dispModuleSkinInfo()
 	{
 		$selected_module = Context::get('selected_module');
-		$skin = Context::get('skin');
+		$skin = urlencode(preg_replace("/[^a-z0-9-_]+/i", '', Context::get('skin')));
 		// Get modules/skin information
 		$module_path = sprintf("./modules/%s/", $selected_module);
 		if(!is_dir($module_path)) $this->stop("msg_invalid_request");
@@ -32,7 +32,7 @@ function dispModuleSkinInfo()
 
 		$oModuleModel = getModel('module');
 		$skin_info = $oModuleModel->loadSkinInfo($module_path, $skin);
-		Context::set('skin_info',$skin_info);
+		Context::set('skin_info', $skin_info);
 
 		$this->setLayoutFile("popup_layout");
 		$this->setTemplateFile("skin_info");