KVE-2021-1116 그누보드 XSS 취약점 수정

gnuboard · Jul 26, 2022 · 71f58f3 · 71f58f3
1 parent a6e302f
commit 71f58f3
Show file tree

Hide file tree

Showing 4 changed files with 13 additions and 12 deletions.
diff --git a/adm/board_form.php b/adm/board_form.php
@@ -914,7 +914,7 @@
         <tr>
             <th scope="row"><label for="bo_include_head">상단 파일 경로</label></th>
             <td>
-                <input type="text" name="bo_include_head" value="<?php echo $board['bo_include_head'] ?>" id="bo_include_head" class="frm_input" size="50">
+                <input type="text" name="bo_include_head" value="<?php echo get_sanitize_input($board['bo_include_head']); ?>" id="bo_include_head" class="frm_input" size="50">
             </td>
             <td class="td_grpset">
                 <input type="checkbox" name="chk_grp_include_head" value="1" id="chk_grp_include_head">
@@ -926,7 +926,7 @@
         <tr>
             <th scope="row"><label for="bo_include_tail">하단 파일 경로</label></th>
             <td>
-                <input type="text" name="bo_include_tail" value="<?php echo $board['bo_include_tail'] ?>" id="bo_include_tail" class="frm_input" size="50">
+                <input type="text" name="bo_include_tail" value="<?php echo get_sanitize_input($board['bo_include_tail']); ?>" id="bo_include_tail" class="frm_input" size="50">
             </td>
             <td class="td_grpset">
                 <input type="checkbox" name="chk_grp_include_tail" value="1" id="chk_grp_include_tail">
@@ -1423,9 +1423,10 @@ function use_captcha_check(){
     });
 }
 
+var bo_include_head = jQuery.trim(jQuery("#bo_include_head").val()),
+    bo_include_tail = jQuery.trim(jQuery("#bo_include_tail").val());
+
 function frm_check_file(){
-    var bo_include_head = "<?php echo $board['bo_include_head']; ?>";
-    var bo_include_tail = "<?php echo $board['bo_include_tail']; ?>";
     var head = jQuery.trim(jQuery("#bo_include_head").val());
     var tail = jQuery.trim(jQuery("#bo_include_tail").val());
 

diff --git a/adm/contentform.php b/adm/contentform.php
@@ -137,14 +137,14 @@
                     <th scope="row"><label for="co_include_head">상단 파일 경로</label></th>
                     <td>
                         <?php echo help("설정값이 없으면 기본 상단 파일을 사용합니다."); ?>
-                        <input type="text" name="co_include_head" value="<?php echo $co['co_include_head']; ?>" id="co_include_head" class="frm_input" size="60">
+                        <input type="text" name="co_include_head" value="<?php echo get_sanitize_input($co['co_include_head']); ?>" id="co_include_head" class="frm_input" size="60">
                     </td>
                 </tr>
                 <tr>
                     <th scope="row"><label for="co_include_tail">하단 파일 경로</label></th>
                     <td>
                         <?php echo help("설정값이 없으면 기본 하단 파일을 사용합니다."); ?>
-                        <input type="text" name="co_include_tail" value="<?php echo $co['co_include_tail']; ?>" id="co_include_tail" class="frm_input" size="60">
+                        <input type="text" name="co_include_tail" value="<?php echo get_sanitize_input($co['co_include_tail']); ?>" id="co_include_tail" class="frm_input" size="60">
                     </td>
                 </tr>
                 <tr id="admin_captcha_box" style="display:none;">

diff --git a/adm/qa_config.php b/adm/qa_config.php
@@ -266,13 +266,13 @@
                     <tr>
                         <th scope="row"><label for="qa_include_head">상단 파일 경로</label></th>
                         <td>
-                            <input type="text" name="qa_include_head" value="<?php echo $qaconfig['qa_include_head'] ?>" id="qa_include_head" class="frm_input" size="50">
+                            <input type="text" name="qa_include_head" value="<?php echo get_sanitize_input($qaconfig['qa_include_head']); ?>" id="qa_include_head" class="frm_input" size="50">
                         </td>
                     </tr>
                     <tr>
                         <th scope="row"><label for="qa_include_tail">하단 파일 경로</label></th>
                         <td>
-                            <input type="text" name="qa_include_tail" value="<?php echo $qaconfig['qa_include_tail'] ?>" id="qa_include_tail" class="frm_input" size="50">
+                            <input type="text" name="qa_include_tail" value="<?php echo get_sanitize_input($qaconfig['qa_include_tail']); ?>" id="qa_include_tail" class="frm_input" size="50">
                         </td>
                     </tr>
                     <tr id="admin_captcha_box" style="display:none;">
@@ -344,7 +344,9 @@
 </form>
 
 <script>
-    var captcha_chk = false;
+    var captcha_chk = false,
+        qa_include_head = jQuery.trim(jQuery("#qa_include_head").val()),
+        qa_include_tail = jQuery.trim(jQuery("#qa_include_tail").val());
 
     function use_captcha_check() {
         $.ajax({
@@ -361,8 +363,6 @@ function use_captcha_check() {
     }
 
     function frm_check_file() {
-        var qa_include_head = "<?php echo $qaconfig['qa_include_head']; ?>";
-        var qa_include_tail = "<?php echo $qaconfig['qa_include_tail']; ?>";
         var head = jQuery.trim(jQuery("#qa_include_head").val());
         var tail = jQuery.trim(jQuery("#qa_include_tail").val());
 

diff --git a/lib/common.lib.php b/lib/common.lib.php
@@ -3965,7 +3965,7 @@ function get_random_token_string($length=6)
 }
 
 function filter_input_include_path($path){
-    return str_replace('//', '/', $path);
+    return str_replace('//', '/', strip_tags($path));
 }
 
 function option_array_checked($option, $arr=array()){