From ff1b6eddc93b97c17dba96f07dafa749f7b26b6d Mon Sep 17 00:00:00 2001
From: bohung <bohung@rulingcom.com>
Date: Mon, 24 Oct 2022 16:33:07 +0800
Subject: [PATCH] Fix vulnerable.

---
 app/controllers/archive_feeds_controller.rb |  8 ++++----
 app/controllers/archives_controller.rb      | 12 ++++++++++--
 app/models/archive_file.rb                  |  2 +-
 3 files changed, 15 insertions(+), 7 deletions(-)

diff --git a/app/controllers/archive_feeds_controller.rb b/app/controllers/archive_feeds_controller.rb
index a42c641..653d3cf 100644
--- a/app/controllers/archive_feeds_controller.rb
+++ b/app/controllers/archive_feeds_controller.rb
@@ -3,7 +3,7 @@ class ArchiveFeedsController < ApplicationController
 	include Admin::ArchiveFilesHelper
 	def feed_add_remote
 		if params[:url].present?
-			uid = params[:uid]
+			uid = params[:uid].to_s
 			archive_file_feed = ArchiveFileFeed.where(uid: uid).first
 			if !(archive_file_feed.remote_urls.include?(params[:url]))
 				archive_file_feed.remote_urls << params[:url]
@@ -14,7 +14,7 @@ class ArchiveFeedsController < ApplicationController
 	end
 	def feed_remove_remote
 		if params[:url].present?
-			uid = params[:uid]
+			uid = params[:uid].to_s
 			archive_file_feed = ArchiveFileFeed.where(uid: uid).first
 			if archive_file_feed.remote_urls.delete(params[:url])
 				archive_file_feed.save
@@ -23,7 +23,7 @@ class ArchiveFeedsController < ApplicationController
 		render :json => {success: true}
 	end
 	def feed
-		uid = params[:uid]
+		uid = params[:uid].to_s
 		feed_cache = ArchiveFileFeedCache.where(uid: uid)
 		feed_cache_old = feed_cache.last
 		count = feed_cache.count
@@ -42,7 +42,7 @@ class ArchiveFeedsController < ApplicationController
 	end
 
 	def rssfeed
-		uid = params[:uid]
+		uid = params[:uid].to_s
 		@aff = ArchiveFileFeed.find_by(:uid => uid) rescue nil
 		if !@aff.nil?
 			tags = @aff.tag_ids
diff --git a/app/controllers/archives_controller.rb b/app/controllers/archives_controller.rb
index 4b9c163..f8b9f7b 100644
--- a/app/controllers/archives_controller.rb
+++ b/app/controllers/archives_controller.rb
@@ -5,7 +5,15 @@ class ArchivesController < ApplicationController
 	end
 	#avoid the categories to be not in the ArchiveCategory
 	def serve_cmap
-		serve_path=File.expand_path("../../assets/javascripts/archive/pdf/bcmaps/#{params[:file_name]}.#{params[:extension]}",__FILE__)
+		file_name = params[:file_name].to_s
+		if file_name.include?('/')
+			file_name = file_name.split('/').last
+		end
+		extension = params[:extension].to_s
+		if extension.include?('/')
+			extension = extension.split('/').last
+		end
+		serve_path=File.expand_path("../../assets/javascripts/archive/pdf/bcmaps/#{file_name}.#{extension}",__FILE__)
 		if Dir.glob(serve_path).length != 0
 			send_file(serve_path, type: "application/octet-stream")
 		else
@@ -14,7 +22,7 @@ class ArchivesController < ApplicationController
 	end
 	def show
 		params = OrbitHelper.params
-	    archive_file = ArchiveFile.find_by(:uid=>params[:uid])
+	    archive_file = ArchiveFile.find_by(:uid=>params[:uid].to_s)
 	    locale = I18n.locale.to_s
 	    data, serial_number, idx = archive_file.get_frontend_data(locale, 0, 0, true, OrbitHelper.url_to_show(""))
 	    {
diff --git a/app/models/archive_file.rb b/app/models/archive_file.rb
index 8f6f57b..f1b7bb3 100644
--- a/app/models/archive_file.rb
+++ b/app/models/archive_file.rb
@@ -424,7 +424,7 @@ class ArchiveFile
       http = Net::HTTP.new(new_uri.host, new_uri.port)
       if location.include?('https')
         http.use_ssl = true
-        http.verify_mode = OpenSSL::SSL::VERIFY_NONE
+        http.verify_mode = OpenSSL::SSL::VERIFY_PEER
       end
       request.instance_variable_set(:@path, new_uri.path)
       response = self.http_request(http, request)