kaffa/gnuboard-r2-storage
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: SQL 인젝션 취약점 및 입력 검증 수정

Browse Source 
- r2_migrate_board_files(): SQL 인젝션 방지를 위해 escape 처리
- r2_migrate_board_files(): 테이블명 정규식 검증 추가
- handleUpload(): 파일 배열 필수 키 체크 추가

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
kappa
2026-01-10 14:59:43 +09:00
parent dd86ccb782
commit a7104b66fc
2 changed files with 18 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
extend/r2-storage/src/R2FileHandler.php
View File

@@ -117,6 +117,11 @@ class R2FileHandler
*/
public function handleUpload(array $file, string $boTable, int $memberId = 0, string $type = 'board'): array
{
// 필수 키 체크
if (!isset($file['error']) || !isset($file['tmp_name']) || !isset($file['name']) || !isset($file['size'])) {
return ['success' => false, 'error' => 'Invalid file array'];
}
// 업로드 에러 체크
if ($file['error'] !== UPLOAD_ERR_OK) {
return $this->handleUploadError($file['error']);

17
extend/r2_hooks.php
View File

@@ -221,10 +221,17 @@ function r2_migrate_board_files(string $boTable, int $limit = 100): array
$handler = get_r2_handler();
$results = ['migrated' => 0, 'failed' => 0, 'skipped' => 0, 'errors' => []];
// 테이블명 검증 (영문, 숫자, 언더스코어만 허용)
if (!preg_match('/^[a-zA-Z0-9_]+$/', $boTable)) {
return ['success' => false, 'error' => 'Invalid table name'];
}
$limit = (int) $limit;
// 아직 마이그레이션되지 않은 파일 조회
$sql = "SELECT bf_no, wr_id, bf_file, bf_source
FROM {$g5['board_file_table']}
WHERE bo_table = '{$boTable}'
WHERE bo_table = '" . sql_real_escape_string($boTable) . "'
AND (bf_storage_type IS NULL OR bf_storage_type = 'local')
AND bf_r2_key IS NULL
LIMIT {$limit}";
@@ -240,10 +247,12 @@ function r2_migrate_board_files(string $boTable, int $limit = 100): array
}
// 회원 ID 조회 (게시글에서)
$write = sql_fetch("SELECT mb_id FROM {$g5['write_prefix']}{$boTable} WHERE wr_id = '{$row['wr_id']}'");
$wrId = (int) $row['wr_id'];
$write = sql_fetch("SELECT mb_id FROM {$g5['write_prefix']}{$boTable} WHERE wr_id = '{$wrId}'");
$memberId = 0;
if ($write['mb_id']) {
$member = sql_fetch("SELECT mb_no FROM {$g5['member_table']} WHERE mb_id = '{$write['mb_id']}'");
if (!empty($write['mb_id'])) {
$mbId = sql_real_escape_string($write['mb_id']);
$member = sql_fetch("SELECT mb_no FROM {$g5['member_table']} WHERE mb_id = '{$mbId}'");
$memberId = (int) ($member['mb_no'] ?? 0);
}