Fix vulnerable.

This commit is contained in:
BoHung Chiu 2022-10-26 15:39:25 +08:00
parent 9622b14eda
commit 3a43a50fa9
1 changed files with 4 additions and 10 deletions

View File

@ -5,14 +5,8 @@ class ArchivesController < ApplicationController
end end
#avoid the categories to be not in the ArchiveCategory #avoid the categories to be not in the ArchiveCategory
def serve_cmap def serve_cmap
file_name = params[:file_name].to_s file_name = File.basename(params[:file_name].to_s)
if file_name.include?('/') extension = File.basename(params[:extension].to_s)
file_name = file_name.split('/').last
end
extension = params[:extension].to_s
if extension.include?('/')
extension = extension.split('/').last
end
serve_path=File.expand_path("../../assets/javascripts/archive/pdf/bcmaps/#{file_name}.#{extension}",__FILE__) serve_path=File.expand_path("../../assets/javascripts/archive/pdf/bcmaps/#{file_name}.#{extension}",__FILE__)
if Dir.glob(serve_path).length != 0 if Dir.glob(serve_path).length != 0
send_file(serve_path, type: "application/octet-stream") send_file(serve_path, type: "application/octet-stream")
@ -244,8 +238,8 @@ class ArchivesController < ApplicationController
@url = file.file.url @url = file.file.url
begin begin
@path = file.file.file.file rescue "" @path = file.file.file.file rescue ""
@filename = @path.split("/").last @filename = File.basename(@path)
@ext = @path.split("/").last.to_s.split(".").last @ext = @filename.split(".").last
if @ext == "png" || @ext == "jpg" || @ext == "bmp" || @ext == "pdf" if @ext == "png" || @ext == "jpg" || @ext == "bmp" || @ext == "pdf"
render "download_file",:layout=>false render "download_file",:layout=>false
else else