From e09ecd8ca48ba8ad9d4098f35fef79a3e0e0b693 Mon Sep 17 00:00:00 2001 From: bohung Date: Mon, 24 Oct 2022 16:22:49 +0800 Subject: [PATCH] Fix vulnerable. --- .../admin/writing_conferences_controller.rb | 4 ++-- app/controllers/personal_conferences_controller.rb | 11 ++++++++--- 2 files changed, 10 insertions(+), 5 deletions(-) diff --git a/app/controllers/admin/writing_conferences_controller.rb b/app/controllers/admin/writing_conferences_controller.rb index b2247ea..0718064 100644 --- a/app/controllers/admin/writing_conferences_controller.rb +++ b/app/controllers/admin/writing_conferences_controller.rb @@ -58,7 +58,7 @@ class Admin::WritingConferencesController < OrbitMemberController end def new - @member = Array(MemberProfile.find_by(:uid=>params['uid'])) rescue nil + @member = Array(MemberProfile.find_by(:uid=>params['uid'].to_s)) rescue nil @writing_conference = WritingConference.new if params[:desktop] @@ -207,7 +207,7 @@ class Admin::WritingConferencesController < OrbitMemberController end def frontend_setting - @member = MemberProfile.find_by(:uid=>params['uid']) rescue nil + @member = MemberProfile.find_by(:uid=>params['uid'].to_s) rescue nil @intro = WritingConferenceIntro.find_by(:member_profile_id=>@member.id) rescue nil @intro = @intro.nil? ? WritingConferenceIntro.new({:member_profile_id=>@member.id}) : @intro end diff --git a/app/controllers/personal_conferences_controller.rb b/app/controllers/personal_conferences_controller.rb index 9590c31..a547185 100644 --- a/app/controllers/personal_conferences_controller.rb +++ b/app/controllers/personal_conferences_controller.rb @@ -47,7 +47,11 @@ class PersonalConferencesController < ApplicationController when 'authors' writing_conferences_show = writing_conferences_temp.select { |value| search_all_words(get_authors_text(value), params[:keywords]) } else - writing_conferences_show = writing_conferences_temp.select { |value| search_all_words(value.send(params[:selectbox]).to_s, params[:keywords]) } + if fields_to_show.include?(params[:selectbox]) + writing_conferences_show = writing_conferences_temp.select { |value| search_all_words(value.send(params[:selectbox]).to_s, params[:keywords]) } + else + writing_conferences_show = writing_conferences_temp + end end page_to_show = params[:page_no].nil? ? 1 : params[:page_no].to_i writing_conferences = writing_conferences_show[(page_to_show - 1) * page_data_count...page_to_show * page_data_count] @@ -111,7 +115,8 @@ class PersonalConferencesController < ApplicationController choice = choice.map { |value| value.inject :merge } select_text = t('personal_conference.search_class') search_text = t('personal_conference.word_to_search') - csrf_value = (0...46).map { ('a'..'z').to_a[rand(26)] }.join + @_request = OrbitHelper.request + csrf_value = form_authenticity_token { 'writing_conferences' => writing_conference_list, 'extras' => { 'widget-title' => t('module_name.personal_conference'), @@ -128,7 +133,7 @@ class PersonalConferencesController < ApplicationController def show params = OrbitHelper.params - plugin = WritingConference.where(is_hidden: false).find_by(uid: params[:uid]) + plugin = WritingConference.where(is_hidden: false).find_by(uid: params[:uid].to_s) fields_to_show = %w[ year authors