Fix vulnerable.

2022-11-01 21:07:41 +08:00 · 2022-11-01 21:07:41 +08:00 · 455523cb09
parent d150a698cd
commit 455523cb09
2 changed files with 9 additions and 9 deletions
--- a/app/controllers/admin/patchfiles_controller.rb
+++ b/app/controllers/admin/patchfiles_controller.rb
@ -112,8 +112,8 @@ class Admin::PatchfilesController < OrbitAdminController
        @file = params["fontfile"]["font_file"] if params["fontfile"]["font_file"] != ""
        @file_path = Rails.root.to_s + '/app/assets/fonts'
        
-        if @file.nil? != true
-          @file_name = @file.original_filename
+        if !@file.nil?
+          @file_name = File.basename(@file.original_filename)
          @file_content = @file.read
          @file_content.force_encoding('UTF-8')
          File.open("#{@file_path}/#{@file_name}","w+") do |f|
--- a/updatefiles/application_helper.rb
+++ b/updatefiles/application_helper.rb
@ -707,8 +707,8 @@ module ApplicationHelper
 				plugin = OrbitApp::Plugin::Registration.find_by_module_app_name(page.module.classify) || OrbitApp::Plugin::Registration.find_by_module_app_name(page.module)
 				override_data = {'widget-title'=>plugin.name}
 			end
-			filename = overridehtml.nil? ? params[:layout_type].to_s.split('/').last : overridehtml
-			module_name = params[:target_controller].to_s.split('/').last.singularize
+			filename = overridehtml.nil? ? File.basename(params[:layout_type]) : overridehtml
+			module_name = File.basename(params[:target_controller]).singularize
 			f = File.join(Rails.root, 'app', 'templates', "#{@key}", 'modules', module_name, "#{filename}.html.erb")
 			if !File.exists?f
 				f = File.join(Rails.root, 'app', 'templates', "#{@key}", 'modules', module_name, "index.html.erb")
@ -768,8 +768,8 @@ module ApplicationHelper
 				return "<div class='well'>No content to show.</div>".html_safe
 			end
 		else
-			filename = overridehtml.nil? ? params[:target_action].to_s.split('/').last : overridehtml
-			module_name = params[:target_controller].to_s.split('/').last.singularize
+			filename = overridehtml.nil? ? File.basename(params[:target_action]) : overridehtml
+			module_name = File.basename(params[:target_controller]).singularize
 			f = File.join(Rails.root, 'app', 'templates', "#{@key}", 'modules', module_name, "#{filename}.html.erb")
 			if File.exists?f
 				file =  File.open(f)
@ -1050,8 +1050,8 @@ module ApplicationHelper
 	end

 	def write_debug_file(e,controller_name,action_name)
-		controller_name = controller_name.to_s.split('/').last
-		action_name = action_name.to_s.split('/').last
+		controller_name = File.basename(controller_name)
+		action_name = File.basename(action_name)
 		url_dir_name = request.fullpath.split("?")[0]
 		url_dir_name = URI.decode(url_dir_name)
 		url_dir_name = (url_dir_name  == "/" ? "home" : url_dir_name.sub("/","").gsub("/","_").gsub("-","_").gsub(" ","_"))
@ -1095,4 +1095,4 @@ module ApplicationHelper
 		}
 	end

-end
+end