XEVE-19-001, XEVE-19-003, XEVE-19-006

xpressengine/xe-core@18ec8078eb
2026-01-07 02:31:40 +09:00 · 2019-05-04 17:36:41 +09:00 · 2019-05-04 17:36:41 +09:00 · 70108f858d
commit 70108f858d
parent 880ae97e31
9 changed files with 86 additions and 25 deletions
--- a/modules/comment/comment.controller.php
+++ b/modules/comment/comment.controller.php
@ -440,7 +440,7 @@ class commentController extends comment

 			if($obj->homepage)
 			{
-				$obj->homepage = removeHackTag($obj->homepage);
+				$obj->homepage = escape($obj->homepage);
 				if(!preg_match('/^[a-z]+:\/\//i',$obj->homepage))
 				{
 					$obj->homepage = 'http://'.$obj->homepage;
@ -803,7 +803,7 @@ class commentController extends comment

 		if($obj->homepage) 
 		{
-			$obj->homepage = removeHackTag($obj->homepage);
+			$obj->homepage = escape($obj->homepage);
 			if(!preg_match('/^[a-z]+:\/\//i',$obj->homepage))
 			{
 				$obj->homepage = 'http://'.$obj->homepage;
--- a/modules/comment/comment.item.php
+++ b/modules/comment/comment.item.php
@ -287,12 +287,12 @@ class commentItem extends BaseObject
 			return;
 		}

-		if(strncasecmp('http://', $url, 7) !== 0)
+		if(!preg_match('@^[a-z]+://@i', $url))
 		{
-			$url = "http://" . $url;
+			$url = 'http://' . $url;
 		}

-		return htmlspecialchars($url, ENT_COMPAT | ENT_HTML401, 'UTF-8', false);
+		return escape($url, false);
 	}

 	function getMemberSrl()
@ -302,17 +302,17 @@ class commentItem extends BaseObject

 	function getUserID()
 	{
-		return htmlspecialchars($this->get('user_id'), ENT_COMPAT | ENT_HTML401, 'UTF-8', false);
+		return escape($this->get('user_id'), false);
 	}

 	function getUserName()
 	{
-		return htmlspecialchars($this->get('user_name'), ENT_COMPAT | ENT_HTML401, 'UTF-8', false);
+		return escape($this->get('user_name'), false);
 	}

 	function getNickName()
 	{
-		return htmlspecialchars($this->get('nick_name'), ENT_COMPAT | ENT_HTML401, 'UTF-8', false);
+		return escape($this->get('nick_name'), false);
 	}

 	function getVote()
--- a/modules/document/document.controller.php
+++ b/modules/document/document.controller.php
@ -387,7 +387,7 @@ class documentController extends document
 		if($obj->allow_trackback!='Y') $obj->allow_trackback = 'N';
 		if($obj->homepage) 
 		{
-			$obj->homepage = removeHackTag($obj->homepage);
+			$obj->homepage = escape($obj->homepage);
 			if(!preg_match('/^[a-z]+:\/\//i',$obj->homepage))
 			{
 				$obj->homepage = 'http://'.$obj->homepage;
@ -517,7 +517,10 @@ class documentController extends document
 		}
 		
 		// Remove iframe and script if not a top adminisrator in the session.
-		if($logged_info->is_admin != 'Y') $obj->content = removeHackTag($obj->content);
+		if($logged_info->is_admin != 'Y')
+		{
+			$obj->content = removeHackTag($obj->content);
+		}

 		// An error appears if both log-in info and user name don't exist.
 		if(!$logged_info->member_srl && !$obj->nick_name) return new BaseObject(-1, 'msg_invalid_request');
@ -692,7 +695,7 @@ class documentController extends document
 		if($obj->allow_trackback!='Y') $obj->allow_trackback = 'N';
 		if($obj->homepage)
 		{
-			$obj->homepage = removeHackTag($obj->homepage);
+			$obj->homepage = escape($obj->homepage);
 			if(!preg_match('/^[a-z]+:\/\//i',$obj->homepage))
 			{
 				$obj->homepage = 'http://'.$obj->homepage;
--- a/modules/document/document.item.php
+++ b/modules/document/document.item.php
@ -438,7 +438,7 @@ class documentItem extends BaseObject
 			$url = 'http://' . $url;
 		}
 		
-		return $url;
+		return escape($url, false);
 	}

 	function getMemberSrl()
--- a/modules/file/file.controller.php
+++ b/modules/file/file.controller.php
@ -136,18 +136,25 @@ class fileController extends file
 		
 		// Save the file
 		$output = $this->insertFile($file_info, $module_srl, $upload_target_srl);
+		if($output->error != '0')
+		{
+			throw new Rhymix\Framework\Exception($output->message);
+		}
 		
+		// Create the response
 		Context::setResponseMethod('JSON');
 		$this->add('file_srl', $output->get('file_srl'));
 		$this->add('file_size', $output->get('file_size'));
 		$this->add('direct_download', $output->get('direct_download'));
 		$this->add('source_filename', $output->get('source_filename'));
 		$this->add('upload_target_srl', $output->get('upload_target_srl'));
-		$this->add('download_url', $oFileModel->getDirectFileUrl($output->get('uploaded_filename')));
-		
-		if($output->error != '0')
+		if ($output->get('direct_download') === 'Y')
 		{
-			throw new Rhymix\Framework\Exception($output->message);
+			$this->add('download_url', $oFileModel->getDirectFileUrl($output->get('uploaded_filename')));
+		}
+		else
+		{
+			$this->add('download_url', $oFileModel->getDownloadUrl($output->get('file_srl'), $output->get('sid'), $module_srl));
 		}
 	}

@ -1291,13 +1298,14 @@ class fileController extends file
 		// 2: 년월일 단위로 정리
 		if ($folder_structure == 2)
 		{
-			return  sprintf('%sfiles/attach/%s/%04d/%02d/%02d/', $prefix, $file_type, substr($regdate, 0, 4), substr($regdate, 4, 2), substr($regdate, 6, 2));
+			return sprintf('%sfiles/attach/%s/%04d/%02d/%02d/', $prefix, $file_type, substr($regdate, 0, 4), substr($regdate, 4, 2), substr($regdate, 6, 2));
 		}
 		
 		// 1 or 0: module_srl 및 업로드 대상 번호에 따라 3자리씩 끊어서 정리
 		else
 		{
-			return sprintf('%sfiles/attach/%s/%d/%s', $prefix, $file_type, $module_srl, getNumberingPath($upload_target_srl, 3));
+			$components = $upload_target_srl ? getNumberingPath($upload_target_srl, 3) : '';
+			return sprintf('%sfiles/attach/%s/%d/%s', $prefix, $file_type, $module_srl, $components);
 		}
 	}

--- a/modules/module/module.controller.php
+++ b/modules/module/module.controller.php
@ -1163,7 +1163,9 @@ class moduleController extends module
 			$path = $oModuleModel->getModuleFileBoxPath($vars->module_filebox_srl);
 			FileHandler::makeDir($path);

-			$save_filename = sprintf('%s%s.%s',$path, $vars->module_filebox_srl, $ext);
+			$random = Rhymix\Framework\Security::getRandom(32, 'hex');
+			$ext = substr(strrchr($vars->addfile['name'], '.'), 1);
+			$save_filename = sprintf('%s%s.%s', $path, $random, $ext);
 			$tmp = $vars->addfile['tmp_name'];

 			if(!@move_uploaded_file($tmp, $save_filename))
@ -1171,7 +1173,7 @@ class moduleController extends module
 				return false;
 			}

-			$args->fileextension = strtolower(substr(strrchr($vars->addfile['name'],'.'),1));
+			$args->fileextension = $ext;
 			$args->filename = $save_filename;
 			$args->filesize = $vars->addfile['size'];
 		}
@ -1197,7 +1199,10 @@ class moduleController extends module
 		$oModuleModel = getModel('module');
 		$path = $oModuleModel->getModuleFileBoxPath($vars->module_filebox_srl);
 		FileHandler::makeDir($path);
-		$save_filename = sprintf('%s%s.%s',$path, $vars->module_filebox_srl, $vars->ext);
+		
+		$random = Rhymix\Framework\Security::getRandom(32, 'hex');
+		$ext = substr(strrchr($vars->addfile['name'], '.'), 1);
+		$save_filename = sprintf('%s%s.%s', $path, $random, $ext);
 		$tmp = $vars->addfile['tmp_name'];

 		// upload
@ -1212,7 +1217,7 @@ class moduleController extends module
 		$args->member_srl = $vars->member_srl;
 		$args->comment = $vars->comment;
 		$args->filename = $save_filename;
-		$args->fileextension = strtolower(substr(strrchr($vars->addfile['name'],'.'),1));
+		$args->fileextension = $ext;
 		$args->filesize = $vars->addfile['size'];

 		$output = executeQuery('module.insertModuleFileBox', $args);
--- a/modules/module/module.model.php
+++ b/modules/module/module.model.php
@ -2393,7 +2393,7 @@ class moduleModel extends module

 	function getModuleFileBoxPath($module_filebox_srl)
 	{
-		return sprintf("./files/attach/filebox/%s",getNumberingPath($module_filebox_srl,3));
+		return getController('file')->getStoragePath('filebox', 0, $module_filebox_srl);
 	}

 	/**