patch secure: 086a1738d9

2024-09-22 11:15:16 +09:00 · 2024-09-22 11:15:16 +09:00 · 1df8602efe
commit 1df8602efe
parent 93e1e1c59f
2 changed files with 42 additions and 5 deletions
--- a/AvocadoEdition_Light/adm/menu_list_update.php
+++ b/AvocadoEdition_Light/adm/menu_list_update.php
@ -1,6 +1,6 @@
 <?php
 $sub_menu = "100400";
-include_once ('./_common.php');
+include_once('./_common.php');
 check_demo();
@ -19,6 +19,12 @@ $count = count($_POST['code']);
 for ($i = 0; $i < $count; $i++) {
  $_POST = array_map_deep('trim', $_POST);
  if (preg_match('/^javascript/i', preg_replace('/[ ]{1,}|[\t]/', '', $_POST['me_link'][$i]))) {
    $_POST['me_link'][$i] = G5_URL;
  }
  $_POST['me_link'][$i] = is_array($_POST['me_link']) ? clean_xss_tags(clean_xss_attributes(preg_replace('/[ ]{2,}|[\t]/', '', $_POST['me_link'][$i]), 1)) : '';
  $code = strip_tags($_POST['code'][$i]);
  $me_name = strip_tags($_POST['me_name'][$i]);
  // kve-2021-0755 gnuboard 3a3434104c
@ -59,9 +65,9 @@ for ($i = 0; $i < $count; $i++) {
              me_icon     = '{$_POST['me_icon'][$i]}',
              me_name     = '{$me_name}',
              me_link     = '{$me_link}',
-              me_target   = '".sql_real_escape_string(strip_tags($_POST['me_target'][$i]))."',
+              me_target   = '" . sql_real_escape_string(strip_tags($_POST['me_target'][$i])) . "',
-              me_order    = '".sql_real_escape_string(strip_tags($_POST['me_order'][$i]))."',
+              me_order    = '" . sql_real_escape_string(strip_tags($_POST['me_order'][$i])) . "',
-              me_use      = '".sql_real_escape_string(strip_tags($_POST['me_use'][$i]))."',
+              me_use      = '" . sql_real_escape_string(strip_tags($_POST['me_use'][$i])) . "',
              me_depth    = '{$me_depth}',
              me_parent   = '{$me_parent}'";
  sql_query($sql);
--- a/AvocadoEdition_Light/lib/common.lib.php
+++ b/AvocadoEdition_Light/lib/common.lib.php
@ -2940,6 +2940,37 @@ function clean_xss_tags($str, $check_entities = 0, $is_remove_tags = 0, $cur_str
  return $str;
 }
 // XSS 어트리뷰트 태그 제거
 function clean_xss_attributes($str)
 {
  $xss_attributes_string = 'onAbort|onActivate|onAttribute|onAfterPrint|onAfterScriptExecute|onAfterUpdate|onAnimationCancel|onAnimationEnd|onAnimationIteration|onAnimationStart|onAriaRequest|onAutoComplete|onAutoCompleteError|onAuxClick|onBeforeActivate|onBeforeCopy|onBeforeCut|onBeforeDeactivate|onBeforeEditFocus|onBeforePaste|onBeforePrint|onBeforeScriptExecute|onBeforeUnload|onBeforeUpdate|onBegin|onBlur|onBounce|onCancel|onCanPlay|onCanPlayThrough|onCellChange|onChange|onClick|onClose|onCommand|onCompassNeedsCalibration|onContextMenu|onControlSelect|onCopy|onCueChange|onCut|onDataAvailable|onDataSetChanged|onDataSetComplete|onDblClick|onDeactivate|onDeviceLight|onDeviceMotion|onDeviceOrientation|onDeviceProximity|onDrag|onDragDrop|onDragEnd|onDragEnter|onDragLeave|onDragOver|onDragStart|onDrop|onDurationChange|onEmptied|onEnd|onEnded|onError|onErrorUpdate|onExit|onFilterChange|onFinish|onFocus|onFocusIn|onFocusOut|onFormChange|onFormInput|onFullScreenChange|onFullScreenError|onGotPointerCapture|onHashChange|onHelp|onInput|onInvalid|onKeyDown|onKeyPress|onKeyUp|onLanguageChange|onLayoutComplete|onLoad|onLoadedData|onLoadedMetaData|onLoadStart|onLoseCapture|onLostPointerCapture|onMediaComplete|onMediaError|onMessage|onMouseDown|onMouseEnter|onMouseLeave|onMouseMove|onMouseOut|onMouseOver|onMouseUp|onMouseWheel|onMove|onMoveEnd|onMoveStart|onMozFullScreenChange|onMozFullScreenError|onMozPointerLockChange|onMozPointerLockError|onMsContentZoom|onMsFullScreenChange|onMsFullScreenError|onMsGestureChange|onMsGestureDoubleTap|onMsGestureEnd|onMsGestureHold|onMsGestureStart|onMsGestureTap|onMsGotPointerCapture|onMsInertiaStart|onMsLostPointerCapture|onMsManipulationStateChanged|onMsPointerCancel|onMsPointerDown|onMsPointerEnter|onMsPointerLeave|onMsPointerMove|onMsPointerOut|onMsPointerOver|onMsPointerUp|onMsSiteModeJumpListItemRemoved|onMsThumbnailClick|onOffline|onOnline|onOutOfSync|onPage|onPageHide|onPageShow|onPaste|onPause|onPlay|onPlaying|onPointerCancel|onPointerDown|onPointerEnter|onPointerLeave|onPointerLockChange|onPointerLockError|onPointerMove|onPointerOut|onPointerOver|onPointerUp|onPopState|onProgress|onPropertyChange|onqt_error|onRateChange|onReadyStateChange|onReceived|onRepeat|onReset|onResize|onResizeEnd|onResizeStart|onResume|onReverse|onRowDelete|onRowEnter|onRowExit|onRowInserted|onRowsDelete|onRowsEnter|onRowsExit|onRowsInserted|onScroll|onSearch|onSeek|onSeeked|onSeeking|onSelect|onSelectionChange|onSelectStart|onStalled|onStorage|onStorageCommit|onStart|onStop|onShow|onSyncRestored|onSubmit|onSuspend|onSynchRestored|onTimeError|onTimeUpdate|onTimer|onTrackChange|onTransitionEnd|onToggle|onTouchCancel|onTouchEnd|onTouchLeave|onTouchMove|onTouchStart|onTransitionCancel|onTransitionEnd|onUnload|onURLFlip|onUserProximity|onVolumeChange|onWaiting|onWebKitAnimationEnd|onWebKitAnimationIteration|onWebKitAnimationStart|onWebKitFullScreenChange|onWebKitFullScreenError|onWebKitTransitionEnd|onWheel';
  do {
    $count = $temp_count = 0;
    $str = preg_replace(
      '/(.*)(?:' . $xss_attributes_string . ')(?:\s*=\s*)(?:\'(?:.*?)\'|"(?:.*?)")(.*)/ius',
      '$1-$2-$3-$4',
      $str,
      -1,
      $temp_count
    );
    $count += $temp_count;
    $str = preg_replace(
      '/(.*)(?:' . $xss_attributes_string . ')\s*=\s*(?:[^\s>]*)(.*)/ius',
      '$1$2',
      $str,
      -1,
      $temp_count
    );
    $count += $temp_count;
  } while ($count);
  return $str;
 }
 // unescape nl 얻기
 function conv_unescape_nl($str)
 {
@ -3408,7 +3439,7 @@ function get_write_token($bo_table)
 // POST로 넘어온 토큰과 세션에 저장된 토큰 비교
 function check_write_token($bo_table)
 {
-  
+
  return true;
 }