Improve granularity of Context security check

정규식에 따라 모두 막을지, 관리자만 허용할지 구분할 수 있도록 하고 이를 참조하여 <script> 태그는 관리자만 허용, PHP 태그는 모두 막도록 변경.
2026-01-03 16:51:40 +09:00 · 2018-10-13 16:42:19 +09:00 · 2018-10-13 16:42:19 +09:00 · f8b0ca6a78
commit f8b0ca6a78
parent 06349cdd98
2 changed files with 30 additions and 14 deletions
--- a/classes/context/Context.class.php
+++ b/classes/context/Context.class.php
@ -117,10 +117,10 @@ class Context
 	public $is_site_locked = FALSE;

 	/**
-	 * Check init
-	 * @var bool FALSE if init fail
+	 * Result of initial security check
+	 * @var string|bool
 	 */
-	public $isSuccessInit = TRUE;
+	public $security_check = 'OK';

 	/**
 	 * Singleton instance
@ -173,8 +173,9 @@ class Context
 	 * @var array
 	 */
 	private static $_check_patterns = array(
-		'@<(?:\?|%)@',
-		'@<script\s*?language\s*?=@i',
+		'@<(?:\?|%)@' => 'DENY ALL',
+		'@<script\s*?language\s*?=@i' => 'DENY ALL',
+		'@</?script@i' => 'ALLOW ADMIN ONLY',
 	);

 	/**
@ -1070,7 +1071,7 @@ class Context
 	{
 		if (!self::_recursiveCheckVar($_SERVER['HTTP_HOST']) || preg_match("/[\,\"\'\{\}\[\]\(\);$]/", $_SERVER['HTTP_HOST']))
 		{
-			self::$_instance->isSuccessInit = FALSE;
+			self::$_instance->security_check = 'DENY ALL';
 		}
 	}

@ -1267,7 +1268,7 @@ class Context
 				}
 				if(!UploadFileFilter::check($tmp_name, $val['name']))
 				{
-					self::$_instance->isSuccessInit = false;
+					self::$_instance->security_check = 'DENY ALL';
 					unset($_FILES[$key]);
 					continue;
 				}
@ -1287,7 +1288,7 @@ class Context
 					}
 					if(!UploadFileFilter::check($val['tmp_name'][$i], $val['name'][$i]))
 					{
-						self::$_instance->isSuccessInit = false;
+						self::$_instance->security_check = 'DENY ALL';
 						$files = array();
 						unset($_FILES[$key]);
 						break;
@ -1318,12 +1319,15 @@ class Context
 	{
 		if(is_string($val))
 		{
-			foreach(self::$_check_patterns as $pattern)
+			foreach(self::$_check_patterns as $pattern => $status)
 			{
 				if(preg_match($pattern, $val))
 				{
-					self::$_instance->isSuccessInit = false;
-					return false;
+					self::$_instance->security_check = $status;
+					if($status === 'DENY ALL')
+					{
+						return false;
+					}
 				}
 			}
 		}
--- a/classes/module/ModuleHandler.class.php
+++ b/classes/module/ModuleHandler.class.php
@ -42,11 +42,23 @@ class ModuleHandler extends Handler
 			return;
 		}

+		// Check security check status
 		$oContext = Context::getInstance();
-		if($oContext->isSuccessInit === false)
+		switch($oContext->security_check)
 		{
-			$this->error = 'msg_security_violation';
-			return;
+			case 'OK':
+				break;
+			case 'ALLOW ADMIN ONLY':
+				if(!Context::get('logged_info')->isAdmin())
+				{
+					$this->error = 'msg_security_violation';
+					return;
+				}
+				break;
+			case 'DENY ALL':
+			default:
+				$this->error = 'msg_security_violation';
+				return;
 		}

 		// Set variables from request arguments