fanbinit/rhymix
1
0
Fork 0
mirror of https://github.com/Lastorder-DC/rhymix.git synced 2026-01-06 02:01:40 +09:00
Code Issues Projects Releases Packages Wiki Activity

#18838841 : fixed XSS, CSRF vulnerability and version up to 1.4.0.11

Browse source 
git-svn-id: http://xe-core.googlecode.com/svn/sandbox@7366 201d5d3c-b55e-5fd7-737f-ddc643e51545
This commit is contained in:
haneul 2010-04-14 09:54:07 +00:00
parent cdd05eaeaa
commit 144d307e48
3 changed files with 10 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

2
config/config.inc.php
View file

@ -13,7 +13,7 @@
* @brief XE의 전체 버전 표기
* 파일의 수정이 없더라도 공식 릴리즈시에 수정되어 함께 배포되어야
**/
define('__ZBXE_VERSION__', '1.4.0.10');
define('__ZBXE_VERSION__', '1.4.0.11');
/**
* @brief zbXE가 설치된 장소의 base path를 구함

5
config/func.inc.php
View file

@ -652,7 +652,7 @@
// 2. 이벤트명 뒤에는 등호(=)가 존재해야하나 앞, 뒤에 공백이 있을 수 있음
// 3. 에디터 컴포넌트에서 on으로 시작하는 변수명을 가질 수 있으므로 실제 이벤트명만을 체크해야 함
$attrs = preg_replace(
'/(\r|\n| )+on(click|dblclick|mousedown|mouseup|mouseover|mouseout|mousemove|keydown|keyup|keypress|load|unload|abort|error|select|change|submit|reset|resize|scroll|focus|blur|forminput|input|invaild|drag|dragend|dragenter|dragleave|dragover|dragstart|drop|mousewheel|scroll|canplay|canplaythrough|durationchange|emptied|ended|error|loadeddata|loadstart|pause|play|playing|progress|ratechange|readystatechange|seeked|seeking|stalled|suspend|timeupdate|volumechange|waiting|message|show)+([= ]+)/is',
'/(\r|\n| |\t|\"|\'|\/|\`)+on(click|dblclick|mousedown|mouseup|mouseover|mouseout|mousemove|keydown|keyup|keypress|load|unload|abort|error|select|change|submit|reset|resize|scroll|focus|blur|forminput|input|invaild|drag|dragend|dragenter|dragleave|dragover|dragstart|drop|mousewheel|scroll|canplay|canplaythrough|durationchange|emptied|ended|error|loadeddata|loadstart|pause|play|playing|progress|ratechange|readystatechange|seeked|seeking|stalled|suspend|timeupdate|volumechange|waiting|message|show)+([= \r\n\t]+)/is',
' _on$2=',
$attrs
);
@ -678,7 +678,8 @@
$dynsrc = $xml_doc->{$tag}->attrs->dynsrc;
$lowsrc = $xml_doc->{$tag}->attrs->lowsrc;
$href = $xml_doc->{$tag}->attrs->href;
if(_isHackedSrc($src) || _isHackedSrc($dynsrc) || _isHackedSrc($lowsrc) || _isHackedSrc($href) ) return sprintf("<%s>",$tag);
$data = $xml_doc->{$tag}->attrs->data;
if(_isHackedSrc($src) || _isHackedSrc($dynsrc) || _isHackedSrc($lowsrc) || _isHackedSrc($href) || _isHackedSrc($data)) return sprintf("<%s>",$tag);
return $matches[0];
}

9
modules/communication/communication.controller.php
View file

@ -85,7 +85,8 @@
}
function sendMessage($sender_srl, $receiver_srl, $title, $content, $sender_log = true) {
$content = removeHackTag($content);
$content = removeHackTag($content);
$title = htmlspecialchars($title);
// 보내는 사용자의 쪽지함에 넣을 쪽지
$sender_args->sender_srl = $sender_srl;
@ -346,7 +347,8 @@
// 변수 정리
$args->friend_group_srl = trim(Context::get('friend_group_srl'));
$args->member_srl = $logged_info->member_srl;
$args->title = Context::get('title');
$args->title = Context::get('title');
$args->title = htmlspecialchars($args->title);
if(!$args->title) return new Object(-1, 'msg_invalid_request');
// friend_group_srl이 있으면 수정
@ -376,7 +378,8 @@
// 변수 정리
$args->friend_group_srl= Context::get('friend_group_srl');
$args->member_srl = $logged_info->member_srl;
$args->title = Context::get('title');
$args->title = Context::get('title');
$args->title = htmlspecialchars($args->title);
if(!$args->title) return new Object(-1, 'msg_invalid_request');
$output = executeQuery('communication.renameFriendGroup', $args);