Fix vulnerable.

This commit is contained in:
BoHung Chiu 2022-10-24 16:33:07 +08:00
parent 96e971f200
commit ff1b6eddc9
3 changed files with 15 additions and 7 deletions

View File

@ -3,7 +3,7 @@ class ArchiveFeedsController < ApplicationController
include Admin::ArchiveFilesHelper include Admin::ArchiveFilesHelper
def feed_add_remote def feed_add_remote
if params[:url].present? if params[:url].present?
uid = params[:uid] uid = params[:uid].to_s
archive_file_feed = ArchiveFileFeed.where(uid: uid).first archive_file_feed = ArchiveFileFeed.where(uid: uid).first
if !(archive_file_feed.remote_urls.include?(params[:url])) if !(archive_file_feed.remote_urls.include?(params[:url]))
archive_file_feed.remote_urls << params[:url] archive_file_feed.remote_urls << params[:url]
@ -14,7 +14,7 @@ class ArchiveFeedsController < ApplicationController
end end
def feed_remove_remote def feed_remove_remote
if params[:url].present? if params[:url].present?
uid = params[:uid] uid = params[:uid].to_s
archive_file_feed = ArchiveFileFeed.where(uid: uid).first archive_file_feed = ArchiveFileFeed.where(uid: uid).first
if archive_file_feed.remote_urls.delete(params[:url]) if archive_file_feed.remote_urls.delete(params[:url])
archive_file_feed.save archive_file_feed.save
@ -23,7 +23,7 @@ class ArchiveFeedsController < ApplicationController
render :json => {success: true} render :json => {success: true}
end end
def feed def feed
uid = params[:uid] uid = params[:uid].to_s
feed_cache = ArchiveFileFeedCache.where(uid: uid) feed_cache = ArchiveFileFeedCache.where(uid: uid)
feed_cache_old = feed_cache.last feed_cache_old = feed_cache.last
count = feed_cache.count count = feed_cache.count
@ -42,7 +42,7 @@ class ArchiveFeedsController < ApplicationController
end end
def rssfeed def rssfeed
uid = params[:uid] uid = params[:uid].to_s
@aff = ArchiveFileFeed.find_by(:uid => uid) rescue nil @aff = ArchiveFileFeed.find_by(:uid => uid) rescue nil
if !@aff.nil? if !@aff.nil?
tags = @aff.tag_ids tags = @aff.tag_ids

View File

@ -5,7 +5,15 @@ class ArchivesController < ApplicationController
end end
#avoid the categories to be not in the ArchiveCategory #avoid the categories to be not in the ArchiveCategory
def serve_cmap def serve_cmap
serve_path=File.expand_path("../../assets/javascripts/archive/pdf/bcmaps/#{params[:file_name]}.#{params[:extension]}",__FILE__) file_name = params[:file_name].to_s
if file_name.include?('/')
file_name = file_name.split('/').last
end
extension = params[:extension].to_s
if extension.include?('/')
extension = extension.split('/').last
end
serve_path=File.expand_path("../../assets/javascripts/archive/pdf/bcmaps/#{file_name}.#{extension}",__FILE__)
if Dir.glob(serve_path).length != 0 if Dir.glob(serve_path).length != 0
send_file(serve_path, type: "application/octet-stream") send_file(serve_path, type: "application/octet-stream")
else else
@ -14,7 +22,7 @@ class ArchivesController < ApplicationController
end end
def show def show
params = OrbitHelper.params params = OrbitHelper.params
archive_file = ArchiveFile.find_by(:uid=>params[:uid]) archive_file = ArchiveFile.find_by(:uid=>params[:uid].to_s)
locale = I18n.locale.to_s locale = I18n.locale.to_s
data, serial_number, idx = archive_file.get_frontend_data(locale, 0, 0, true, OrbitHelper.url_to_show("")) data, serial_number, idx = archive_file.get_frontend_data(locale, 0, 0, true, OrbitHelper.url_to_show(""))
{ {

View File

@ -424,7 +424,7 @@ class ArchiveFile
http = Net::HTTP.new(new_uri.host, new_uri.port) http = Net::HTTP.new(new_uri.host, new_uri.port)
if location.include?('https') if location.include?('https')
http.use_ssl = true http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_NONE http.verify_mode = OpenSSL::SSL::VERIFY_PEER
end end
request.instance_variable_set(:@path, new_uri.path) request.instance_variable_set(:@path, new_uri.path)
response = self.http_request(http, request) response = self.http_request(http, request)