#1713 첨부한 파일명을 이용해 임의 코드를 실행할 수 있는 문제 고침

modules/file/file.controller.php

@@ -662,16 +662,17 @@ class fileController extends file
 			}
 		}
 
+		// https://github.com/xpressengine/xe-core/issues/1713
+		$file_info['name'] = preg_replace('/\.(php|phtm|phar|html?|cgi|pl|exe|jsp|asp|inc)/i', '$0-x',$file_info['name']);
+		$file_info['name'] = removeHackTag($file_info['name']);
+		$file_info['name'] = str_replace(array('<','>'),array('%3C','%3E'),$file_info['name']);
+
 		// Get random number generator
 		$random = new Password();
-		
+
 		// Set upload path by checking if the attachement is an image or other kinds of file
 		if(preg_match("/\.(jpe?g|gif|png|wm[va]|mpe?g|avi|swf|flv|mp[1-4]|as[fx]|wav|midi?|moo?v|qt|r[am]{1,2}|m4v)$/i", $file_info['name']))
 		{
-			// Immediately remove the direct file if it has any kind of extensions for hacking
-			$file_info['name'] = preg_replace('/\.(php|phtm|phar|html?|cgi|pl|exe|jsp|asp|inc)/i', '$0-x',$file_info['name']);
-			$file_info['name'] = str_replace(array('<','>'),array('%3C','%3E'),$file_info['name']);
-
 			$path = sprintf("./files/attach/images/%s/%s", $module_srl,getNumberingPath($upload_target_srl,3));
 
 			// special character to '_'

modules/file/file.model.php

@@ -220,6 +220,7 @@ class fileModel extends file
 		{
 			$file = $file_list[$i];
 			$file->source_filename = stripslashes($file->source_filename);
+			$file->source_filename = htmlspecialchars($file->source_filename);
 			$file->download_url = $this->getDownloadUrl($file->file_srl, $file->sid, $file->module_srl);
 			$file_list[$i] = $file;
 		}