From 53e81785bd0f7e7990334906e03c48169d184c86 Mon Sep 17 00:00:00 2001 From: khongchi Date: Mon, 13 Jan 2014 16:43:34 +0900 Subject: [PATCH 1/2] =?UTF-8?q?#309=20SECISSUE=20homepage=ED=95=84?= =?UTF-8?q?=EB=93=9C=EB=A5=BC=20=EC=9D=B4=EC=9A=A9=ED=95=9C=20XSS=20?= =?UTF-8?q?=EA=B3=B5=EA=B2=A9=20=EB=B0=A9=EC=96=B4?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- modules/document/document.controller.php | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/modules/document/document.controller.php b/modules/document/document.controller.php index a4677133f..15771b9ff 100644 --- a/modules/document/document.controller.php +++ b/modules/document/document.controller.php @@ -200,7 +200,15 @@ class documentController extends document if(!$obj->commentStatus) $obj->commentStatus = 'DENY'; if($obj->commentStatus == 'DENY') $this->_checkCommentStatusForOldVersion($obj); if($obj->allow_trackback!='Y') $obj->allow_trackback = 'N'; - if($obj->homepage && !preg_match('/^[a-z]+:\/\//i',$obj->homepage)) $obj->homepage = 'http://'.$obj->homepage; + if($obj->homepage) + { + $obj->homepage = removeHackTag($obj->homepage); + if(!preg_match('/^[a-z]+:\/\//i',$obj->homepage)) + { + $obj->homepage = 'http://'.$obj->homepage; + } + } + if($obj->notify_message != 'Y') $obj->notify_message = 'N'; if(!$obj->email_address) $obj->email_address = ''; if(!$isRestore) $obj->ipaddress = $_SERVER['REMOTE_ADDR']; //board?�서 form key값으�?ipaddress�??�용?�면 ?�한 ip가 ?�록?? ?�터?�???��??�슴 From b5b432d577c66c012e816ad9200b26b23a54a16e Mon Sep 17 00:00:00 2001 From: khongchi Date: Mon, 13 Jan 2014 18:21:25 +0900 Subject: [PATCH 2/2] Version update: 1.7.3.8 --- config/config.inc.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/config.inc.php b/config/config.inc.php index c247f02c7..20e099f31 100644 --- a/config/config.inc.php +++ b/config/config.inc.php @@ -42,7 +42,7 @@ define('__ZBXE__', __XE__); * '2' means 'release candidate' status. * '3' means 'final' status. */ -define('__XE_VERSION__', '1.7.3.7'); +define('__XE_VERSION__', '1.7.3.8'); /** * @deprecated __ZBXE_VERSION__ will be removed. Use __XE_VERSION__ instead.