amber/AvocadoAmber
1
0
Fork 0
Code Issues Pull requests Projects Releases 1 Packages Wiki Activity Actions

patch secure: 086a1738d9

Browse source
This commit is contained in:
Amberstone 2024-09-22 11:15:16 +09:00
parent 93e1e1c59f
commit 1df8602efe
Signed by: amber
GPG key ID: 094B0E55F98D8BF1
2 changed files with 42 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
AvocadoEdition_Light/adm/menu_list_update.php
View file

@ -1,6 +1,6 @@
<?php
$sub_menu = "100400";
include_once ('./_common.php');
include_once('./_common.php');
check_demo();
@ -19,6 +19,12 @@ $count = count($_POST['code']);
for ($i = 0; $i < $count; $i++) {
$_POST = array_map_deep('trim', $_POST);
if (preg_match('/^javascript/i', preg_replace('/[ ]{1,}|[\t]/', '', $_POST['me_link'][$i]))) {
$_POST['me_link'][$i] = G5_URL;
}
$_POST['me_link'][$i] = is_array($_POST['me_link']) ? clean_xss_tags(clean_xss_attributes(preg_replace('/[ ]{2,}|[\t]/', '', $_POST['me_link'][$i]), 1)) : '';
$code = strip_tags($_POST['code'][$i]);
$me_name = strip_tags($_POST['me_name'][$i]);
// kve-2021-0755 gnuboard 3a3434104c
@ -59,9 +65,9 @@ for ($i = 0; $i < $count; $i++) {
me_icon = '{$_POST['me_icon'][$i]}',
me_name = '{$me_name}',
me_link = '{$me_link}',
me_target = '".sql_real_escape_string(strip_tags($_POST['me_target'][$i]))."',
me_order = '".sql_real_escape_string(strip_tags($_POST['me_order'][$i]))."',
me_use = '".sql_real_escape_string(strip_tags($_POST['me_use'][$i]))."',
me_target = '" . sql_real_escape_string(strip_tags($_POST['me_target'][$i])) . "',
me_order = '" . sql_real_escape_string(strip_tags($_POST['me_order'][$i])) . "',
me_use = '" . sql_real_escape_string(strip_tags($_POST['me_use'][$i])) . "',
me_depth = '{$me_depth}',
me_parent = '{$me_parent}'";
sql_query($sql);

31
AvocadoEdition_Light/lib/common.lib.php
View file

@ -2940,6 +2940,37 @@ function clean_xss_tags($str, $check_entities = 0, $is_remove_tags = 0, $cur_str
return $str;
}
// XSS 어트리뷰트 태그 제거
function clean_xss_attributes($str)
{
$xss_attributes_string = 'onAbort|onActivate|onAttribute|onAfterPrint|onAfterScriptExecute|onAfterUpdate|onAnimationCancel|onAnimationEnd|onAnimationIteration|onAnimationStart|onAriaRequest|onAutoComplete|onAutoCompleteError|onAuxClick|onBeforeActivate|onBeforeCopy|onBeforeCut|onBeforeDeactivate|onBeforeEditFocus|onBeforePaste|onBeforePrint|onBeforeScriptExecute|onBeforeUnload|onBeforeUpdate|onBegin|onBlur|onBounce|onCancel|onCanPlay|onCanPlayThrough|onCellChange|onChange|onClick|onClose|onCommand|onCompassNeedsCalibration|onContextMenu|onControlSelect|onCopy|onCueChange|onCut|onDataAvailable|onDataSetChanged|onDataSetComplete|onDblClick|onDeactivate|onDeviceLight|onDeviceMotion|onDeviceOrientation|onDeviceProximity|onDrag|onDragDrop|onDragEnd|onDragEnter|onDragLeave|onDragOver|onDragStart|onDrop|onDurationChange|onEmptied|onEnd|onEnded|onError|onErrorUpdate|onExit|onFilterChange|onFinish|onFocus|onFocusIn|onFocusOut|onFormChange|onFormInput|onFullScreenChange|onFullScreenError|onGotPointerCapture|onHashChange|onHelp|onInput|onInvalid|onKeyDown|onKeyPress|onKeyUp|onLanguageChange|onLayoutComplete|onLoad|onLoadedData|onLoadedMetaData|onLoadStart|onLoseCapture|onLostPointerCapture|onMediaComplete|onMediaError|onMessage|onMouseDown|onMouseEnter|onMouseLeave|onMouseMove|onMouseOut|onMouseOver|onMouseUp|onMouseWheel|onMove|onMoveEnd|onMoveStart|onMozFullScreenChange|onMozFullScreenError|onMozPointerLockChange|onMozPointerLockError|onMsContentZoom|onMsFullScreenChange|onMsFullScreenError|onMsGestureChange|onMsGestureDoubleTap|onMsGestureEnd|onMsGestureHold|onMsGestureStart|onMsGestureTap|onMsGotPointerCapture|onMsInertiaStart|onMsLostPointerCapture|onMsManipulationStateChanged|onMsPointerCancel|onMsPointerDown|onMsPointerEnter|onMsPointerLeave|onMsPointerMove|onMsPointerOut|onMsPointerOver|onMsPointerUp|onMsSiteModeJumpListItemRemoved|onMsThumbnailClick|onOffline|onOnline|onOutOfSync|onPage|onPageHide|onPageShow|onPaste|onPause|onPlay|onPlaying|onPointerCancel|onPointerDown|onPointerEnter|onPointerLeave|onPointerLockChange|onPointerLockError|onPointerMove|onPointerOut|onPointerOver|onPointerUp|onPopState|onProgress|onPropertyChange|onqt_error|onRateChange|onReadyStateChange|onReceived|onRepeat|onReset|onResize|onResizeEnd|onResizeStart|onResume|onReverse|onRowDelete|onRowEnter|onRowExit|onRowInserted|onRowsDelete|onRowsEnter|onRowsExit|onRowsInserted|onScroll|onSearch|onSeek|onSeeked|onSeeking|onSelect|onSelectionChange|onSelectStart|onStalled|onStorage|onStorageCommit|onStart|onStop|onShow|onSyncRestored|onSubmit|onSuspend|onSynchRestored|onTimeError|onTimeUpdate|onTimer|onTrackChange|onTransitionEnd|onToggle|onTouchCancel|onTouchEnd|onTouchLeave|onTouchMove|onTouchStart|onTransitionCancel|onTransitionEnd|onUnload|onURLFlip|onUserProximity|onVolumeChange|onWaiting|onWebKitAnimationEnd|onWebKitAnimationIteration|onWebKitAnimationStart|onWebKitFullScreenChange|onWebKitFullScreenError|onWebKitTransitionEnd|onWheel';
do {
$count = $temp_count = 0;
$str = preg_replace(
'/(.*)(?:' . $xss_attributes_string . ')(?:\s*=\s*)(?:\'(?:.*?)\'|"(?:.*?)")(.*)/ius',
'$1-$2-$3-$4',
$str,
-1,
$temp_count
);
$count += $temp_count;
$str = preg_replace(
'/(.*)(?:' . $xss_attributes_string . ')\s*=\s*(?:[^\s>]*)(.*)/ius',
'$1$2',
$str,
-1,
$temp_count
);
$count += $temp_count;
} while ($count);
return $str;
}
// unescape nl 얻기
function conv_unescape_nl($str)
{