Fix vulnerable.

2022-11-01 21:08:45 +08:00 · 2022-11-01 21:08:45 +08:00 · 97884844bf
parent bdb02aa184
commit 97884844bf
2 changed files with 7 additions and 6 deletions
--- a/app/controllers/admin/personal_plugin_fields_controller.rb
+++ b/app/controllers/admin/personal_plugin_fields_controller.rb
@ -8,7 +8,7 @@ class Admin::PersonalPluginFieldsController < OrbitMemberController
 	end

 	def new
-		@member = MemberProfile.find_by(:uid=>params['uid']) rescue nil
+		@member = MemberProfile.find_by(:uid=>params['uid'].to_s) rescue nil
 		@personal_plugin_field = PersonalPluginField.new
 	end
 	def download
@ -16,19 +16,20 @@ class Admin::PersonalPluginFieldsController < OrbitMemberController
 		FileUtils.mkdir_p(zip_path) if !Dir.exist?(zip_path)
 		personal_plugin_field = PersonalPluginField.find(params[:personal_plugin_field_id]) rescue nil
 		if personal_plugin_field
-			zip_file_path = zip_path + "#{personal_plugin_field.module_name.split('/').last}.zip"
-			zip_file= ZipFileGenerator.new(zip_path + personal_plugin_field.module_name ,zip_file_path)
+			module_name = File.basename(personal_plugin_field.module_name)
+			zip_file_path = zip_path + "#{module_name}.zip"
+			zip_file= ZipFileGenerator.new(zip_path + module_name ,zip_file_path)
 			begin
 				zip_file.write
 			rescue
-				File.delete(zip_path + "#{personal_plugin_field.module_name}.zip")
+				File.delete(zip_path + "#{module_name}.zip")
 				zip_file.write
 			end
 			send_file(zip_file_path)
 		end
 	end
 	def copy
-		@member = MemberProfile.find_by(:uid=>params['uid']) rescue nil
+		@member = MemberProfile.find_by(:uid=>params['uid'].to_s) rescue nil
 		attributes = PersonalPluginField.find(params[:personal_plugin_field_id]).attributes rescue {}
 		attributes = attributes.except("_id")
 		copy_attributes = {}
--- a/template_generator/app/controllers/personal_plugin_templates_controller.rb
+++ b/template_generator/app/controllers/personal_plugin_templates_controller.rb
@ -119,7 +119,7 @@ class PersonalPluginTemplatesController < ApplicationController
 			plugin_templates = plugin_templates.where(:id.in=>tmp_plugin_templates.map{|p| p.id})
 		elsif select_field.split(".").count > 1
 			relate_name = select_field.split(".").first
-			field_name = select_field.split(".").last
+			field_name = select_field.split(".").last.gsub(/^\$+/, '')
 			relate = relate_name.classify.constantize
 			relate_ids = relate.where(field_name=>/#{gsub_invalid_character(keywords)}/).pluck(:id)	
 			plugin_templates = plugin_templates.where("#{relate_name.singularize}_id"=>{'$in'=>relate_ids})