From 34b74ff308e9228f6a3b7ab4977c62e92dd0457e Mon Sep 17 00:00:00 2001
From: "BOYA,CHIU" <naruto0426@rulingcom.com>
Date: Tue, 20 Jul 2021 19:54:13 +0800
Subject: [PATCH] fix security problem

---
 app/controllers/announcements_controller.rb | 4 ++++
 config/routes.rb                            | 2 +-
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/app/controllers/announcements_controller.rb b/app/controllers/announcements_controller.rb
index 3fc4368..752458e 100644
--- a/app/controllers/announcements_controller.rb
+++ b/app/controllers/announcements_controller.rb
@@ -499,6 +499,10 @@ class AnnouncementsController < ApplicationController
     @url = request.path
     begin
       file = BulletinFile.find(params[:id])
+      if File.basename(file.file.path) != URI.decode(params[:f_name])
+        render :file => "#{Rails.root}/app/views/errors/403.html", :layout => false, :status => :not_found, :content_type => 'text/html'
+        return
+      end
       @url = file.file.url
       if file.can_access?(OrbitHelper.current_user)
         @path = file.file.path rescue ""
diff --git a/config/routes.rb b/config/routes.rb
index aec69b9..0a405ba 100644
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -39,7 +39,7 @@ Rails.application.routes.draw do
    get '/xhr/announcements/announcement.json', to: 'bulletins#get_bulletins'
    get '/xhr/panel/announcement/widget/sync_data' => 'announcements#show_widget'
    get '/xhr/announcements/:slug_title-:uid/comment', to: 'announcements#comment' 
-   get '/xhr/announcements/file/:id/*f_name' => 'announcements#get_file'
+   get '/xhr/announcements/file/:id/*f_name', to: 'announcements#get_file', format: false
   end
   
 end