Fix vulnerable.

2022-10-24 16:22:49 +08:00 · 2022-10-24 16:22:49 +08:00 · e09ecd8ca4
parent 8ba1baa045
commit e09ecd8ca4
2 changed files with 10 additions and 5 deletions
--- a/app/controllers/admin/writing_conferences_controller.rb
+++ b/app/controllers/admin/writing_conferences_controller.rb
@ -58,7 +58,7 @@ class Admin::WritingConferencesController < OrbitMemberController
  end

  def new
-    @member = Array(MemberProfile.find_by(:uid=>params['uid'])) rescue nil
+    @member = Array(MemberProfile.find_by(:uid=>params['uid'].to_s)) rescue nil
    @writing_conference = WritingConference.new

    if params[:desktop]
@ -207,7 +207,7 @@ class Admin::WritingConferencesController < OrbitMemberController
  end

  def frontend_setting
-    @member = MemberProfile.find_by(:uid=>params['uid']) rescue nil
+    @member = MemberProfile.find_by(:uid=>params['uid'].to_s) rescue nil
    @intro = WritingConferenceIntro.find_by(:member_profile_id=>@member.id) rescue nil
    @intro = @intro.nil? ? WritingConferenceIntro.new({:member_profile_id=>@member.id}) : @intro
  end
--- a/app/controllers/personal_conferences_controller.rb
+++ b/app/controllers/personal_conferences_controller.rb
@ -47,7 +47,11 @@ class PersonalConferencesController < ApplicationController
      when 'authors'
        writing_conferences_show = writing_conferences_temp.select { |value| search_all_words(get_authors_text(value), params[:keywords]) }
      else
-        writing_conferences_show = writing_conferences_temp.select { |value| search_all_words(value.send(params[:selectbox]).to_s, params[:keywords]) }
+        if fields_to_show.include?(params[:selectbox])
+          writing_conferences_show = writing_conferences_temp.select { |value| search_all_words(value.send(params[:selectbox]).to_s, params[:keywords]) }
+        else
+          writing_conferences_show = writing_conferences_temp
+        end
      end
      page_to_show = params[:page_no].nil? ? 1 : params[:page_no].to_i
      writing_conferences = writing_conferences_show[(page_to_show - 1) * page_data_count...page_to_show * page_data_count]
@ -111,7 +115,8 @@ class PersonalConferencesController < ApplicationController
    choice = choice.map { |value| value.inject :merge }
    select_text = t('personal_conference.search_class')
    search_text = t('personal_conference.word_to_search')
-    csrf_value = (0...46).map { ('a'..'z').to_a[rand(26)] }.join
+    @_request = OrbitHelper.request
+    csrf_value = form_authenticity_token
    {
      'writing_conferences' => writing_conference_list,
      'extras' => { 'widget-title' => t('module_name.personal_conference'),
@ -128,7 +133,7 @@ class PersonalConferencesController < ApplicationController

  def show
    params = OrbitHelper.params
-    plugin = WritingConference.where(is_hidden: false).find_by(uid: params[:uid])
+    plugin = WritingConference.where(is_hidden: false).find_by(uid: params[:uid].to_s)
    fields_to_show = %w[
      year
      authors