From 6f14f004780269a51164cd7908100dcd77b101be Mon Sep 17 00:00:00 2001
From: chiu <naruto0426@rulingcom.com>
Date: Wed, 4 Aug 2021 20:05:15 +0800
Subject: [PATCH] fix vulnerability

---
 app/controllers/announcements_controller.rb | 1 +
 1 file changed, 1 insertion(+)

diff --git a/app/controllers/announcements_controller.rb b/app/controllers/announcements_controller.rb
index 752458e..de4ec49 100644
--- a/app/controllers/announcements_controller.rb
+++ b/app/controllers/announcements_controller.rb
@@ -497,6 +497,7 @@ class AnnouncementsController < ApplicationController
   end
   def get_file
     @url = request.path
+    render :text => "Path not allow",:status => 404 if @url.match(/\/\.\./)
     begin
       file = BulletinFile.find(params[:id])
       if File.basename(file.file.path) != URI.decode(params[:f_name])