From 8ee0655923ec8b641408b17b52de3857f7361a0f Mon Sep 17 00:00:00 2001 From: bohung Date: Sat, 22 Oct 2022 18:43:36 +0800 Subject: [PATCH] Fix bug. Fix vulnerable. --- app/controllers/admin/seminars_controller.rb | 30 +++++--------- app/controllers/seminars_controller.rb | 12 +++--- app/models/seminar_main.rb | 1 + app/models/seminar_signup.rb | 2 +- .../seminar_review_results/edit.html.erb | 15 +++---- app/views/admin/seminar_signups/edit.html.erb | 8 ---- app/views/admin/seminars/_form.html.erb | 36 ++++++++--------- .../seminars/_get_display_fields.html.erb | 40 +++++++++++-------- .../_seminar_signup_render_table.html.erb | 21 +++++----- app/views/seminars/con_login.html.erb | 6 ++- 10 files changed, 84 insertions(+), 87 deletions(-) diff --git a/app/controllers/admin/seminars_controller.rb b/app/controllers/admin/seminars_controller.rb index 3f99357..1afb047 100644 --- a/app/controllers/admin/seminars_controller.rb +++ b/app/controllers/admin/seminars_controller.rb @@ -436,16 +436,18 @@ class Admin::SeminarsController < OrbitAdminController end end seminar_main_params = seminar_params - seminar_signup_set_params = seminar_main_params['seminar_signup_field_sets'] - seminar_submission_set_params = seminar_main_params['seminar_submission_field_sets'] - seminar_email_sets_params = seminar_main_params['seminar_email_sets'] - seminar_signup_field_customs_params = seminar_main_params["seminar_signup_field_customs"].to_h rescue {} - seminar_main_params["seminar_signup_field_customs"].to_h.each do |k,v| - v.delete "title" + if seminar.copy_id + seminar_signup_set_params = seminar_main_params['seminar_signup_field_sets_attributes'] + seminar_submission_set_params = seminar_main_params['seminar_submission_field_sets_attributes'] + seminar_email_sets_params = seminar_main_params['seminar_email_sets_attributes'] + seminar_signup_field_customs_params = seminar_main_params["seminar_signup_field_customs_attributes"].to_h rescue {} + seminar_signup_field_customs_params.each do |k,v| + v.delete "title" + end + seminar_main_params.delete(:seminar_signup_field_sets_attributes) + seminar_main_params.delete(:seminar_submission_field_sets_attributes) + seminar_main_params.delete(:seminar_email_sets_attributes) end - seminar_main_params.delete(:seminar_signup_field_sets) - seminar_main_params.delete(:seminar_submission_field_sets) - seminar_main_params.delete(:seminar_email_sets) seminar = SeminarMain.new(seminar_main_params) seminar.create_user_id = current_user.id seminar.update_user_id = current_user.id @@ -466,16 +468,6 @@ class Admin::SeminarsController < OrbitAdminController seminar_signup_field_customs_params.each_with_index do |(key,value),i| seminar.seminar_signup_field_customs[i].update(:seminar_signup_field_id => seminar.seminar_signup_fields.where(:title=>value["title"]).first.id) rescue nil end - else - seminar_signup_set_params.each do |key,value| - seminar.seminar_signup_field_sets.create(value) - end - seminar_submission_set_params.each do |key,value| - seminar.seminar_submission_field_sets.create(value) - end - seminar_email_sets_params.each do |key,value| - seminar.seminar_email_sets.create(value) - end end redirect_to params['referer_url'] diff --git a/app/controllers/seminars_controller.rb b/app/controllers/seminars_controller.rb index 785a9b7..cbe5d65 100644 --- a/app/controllers/seminars_controller.rb +++ b/app/controllers/seminars_controller.rb @@ -446,7 +446,7 @@ class SeminarsController < ApplicationController status_param = '' send_mail('signup',params[:seminar_signup][:email],params[:seminar_signup][:seminar_main_id],extra_text) end - redirect_to "#{params[:referer_url]}/?method=signup_ok#{status_param}&serial_number=#{@seminar_signup.display_serial_number}" + redirect_to "#{params[:referer_url].to_s.chomp('/')}/?method=signup_ok#{status_param}&serial_number=#{@seminar_signup.display_serial_number}" else if !@signup.blank? redirect_to "#{params[:referer_url]}", :notice => 'mail已存在' @@ -532,7 +532,7 @@ class SeminarsController < ApplicationController end @seminar.unassigned_seminar_signup_ids = unassigned_seminar_signup_ids @seminar.save - redirect_to "#{params[:referer_url]}/?method=con_upload" + redirect_to "#{params[:referer_url].to_s.chomp('/')}/?method=con_upload" else redirect_to "#{params[:referer_url]}", :notice => t('recaptcha.errors.verification_failed') end @@ -582,7 +582,7 @@ class SeminarsController < ApplicationController end @seminar.unassigned_seminar_signup_ids = unassigned_seminar_signup_ids @seminar.save - redirect_to "#{params[:referer_url]}/?method=con_upload" + redirect_to "#{params[:referer_url].to_s.chomp('/')}/?method=con_upload" else redirect_to "#{params[:referer_url]}", :notice => t('recaptcha.errors.verification_failed') end @@ -607,7 +607,7 @@ class SeminarsController < ApplicationController end @seminar.unassigned_seminar_signup_ids = unassigned_seminar_signup_ids @seminar.save - redirect_to "#{params[:referer_url]}/?method=con_upload" + redirect_to "#{params[:referer_url].to_s.chomp('/')}/?method=con_upload" end @@ -711,9 +711,9 @@ class SeminarsController < ApplicationController session[:seminar_signup_id] = @seminar_signup.id session[:seminar_main_id] = @seminar_signup.seminar_main_id - redirect_to "#{params[:referer_url]}/?method=con_upload" + redirect_to "#{params[:referer_url].to_s.chomp('/')}/?method=con_upload" else - redirect_to "#{params[:referer_url]}/?method=con_login", :notice => '登入失敗' + redirect_to "#{params[:referer_url].to_s.chomp('/')}/?method=con_login", :notice => '登入失敗' end end diff --git a/app/models/seminar_main.rb b/app/models/seminar_main.rb index e50db84..d746313 100644 --- a/app/models/seminar_main.rb +++ b/app/models/seminar_main.rb @@ -8,6 +8,7 @@ class SeminarMain include OrbitCategory::Categorizable include Slug ChoiceTypes = ["checkbox","radio","select"] + ExceptFieldSetDisplays = ["password", "recaptcha"] field :annc_count, :type => Integer, :default => 0 field :album_count, :type => Integer, :default => 0 field :copy_id diff --git a/app/models/seminar_signup.rb b/app/models/seminar_signup.rb index 432a188..4fde0df 100644 --- a/app/models/seminar_signup.rb +++ b/app/models/seminar_signup.rb @@ -3,7 +3,7 @@ class SeminarSignup include Mongoid::Document include Mongoid::Timestamps - HiddenFields = ['seminar_signup_id','_id', 'created_at', 'updated_at','seminar_main_id',"serial_number","final_session","final_sessions","preferred_sessions",'seminar_session_id',"seminar_session_ids","preferred_session","sort_number","abstract_number","presentation_type"] + HiddenFields = ['seminar_signup_id','_id', 'created_at', 'updated_at','seminar_main_id',"serial_number","final_session","final_sessions","preferred_sessions",'seminar_session_id',"seminar_session_ids","preferred_session","sort_number","abstract_number","presentation_type", "filename"] DefaultEnableFields = ['status','name','tel','phone','email','password','recaptcha'] field :sort_number , type: Integer, default: 10000 diff --git a/app/views/admin/seminar_review_results/edit.html.erb b/app/views/admin/seminar_review_results/edit.html.erb index e724c80..eb434a6 100644 --- a/app/views/admin/seminar_review_results/edit.html.erb +++ b/app/views/admin/seminar_review_results/edit.html.erb @@ -42,7 +42,7 @@ <% val = t("seminar.registration_status_#{seminar_signup.status}") if !seminar_signup.status.blank? %> <% end %> <% elsif names[0] == "seminar_signup_field_custom" || names[0] == "seminar_signup_fields" %> - <% val = seminar_signup.seminar_signup_values.where(:key=>names[1]).first.get_value_by_locale(I18n.locale) rescue "" %> + <% val = html_escape(seminar_signup.seminar_signup_values.where(:key=>names[1]).first.get_value_by_locale(I18n.locale)).gsub(/(\r\n|\n)/,"
") rescue "" %> <% elsif names[0] == "seminar_signup_contributes" %> <% if names[1] == "file" %> <% seminar_signup_contribute = @seminar_signup_contribute %> @@ -69,7 +69,7 @@ <% else %> <% file_content = File.read(file_path) rescue "" %> <% if file_content.is_utf8? %> - <% file_content = file_content.gsub(/(\r\n|\n)/,"
")%> + <% file_content = html_escape(file_content).gsub(/(\r\n|\n)/,"
") %> <% val = "
#{t(:download)}

#{file_title}

#{file_content}
"%> <% else %> <% val = link_to( file_title, file_url , {:target => '_blank', :title => Nokogiri::HTML(description.gsub("
"," , ")).text, :download=>filename} ) if seminar_signup_contribute.file.file %> @@ -91,12 +91,13 @@ <% end %> <% end %> <% elsif names[0] == "seminar_submission_fields" %> - <% val = @seminar_signup_contribute.seminar_submission_values.where(:key=>names[1]).first.get_value_by_locale(I18n.locale) rescue "" %> <% seminar_submission_field = seminar_signup.seminar_main.seminar_submission_fields.where(:key=>names[1]).first %> - <% if seminar_submission_field && seminar_submission_field.markup == "seminar_preferred_session" - seminar_submission_value = @seminar_signup_contribute.seminar_submission_values.where(:key=>names[1]).first - val = "#{(seminar_submission_value.get_value_by_locale(I18n.locale) rescue "")}" - end %> + <% if seminar_submission_field && seminar_submission_field.markup == "seminar_preferred_session" + seminar_submission_value = @seminar_signup_contribute.seminar_submission_values.where(:key=>names[1]).first + val = "#{(html_escape(seminar_submission_value.get_value_by_locale(I18n.locale)).gsub(/(\r\n|\n)/,"
") rescue "")}
" + else + val = html_escape(@seminar_signup_contribute.seminar_submission_values.where(:key=>names[1]).first.get_value_by_locale(I18n.locale)).gsub(/(\r\n|\n)/,"
") rescue "" + end %> <% elsif names[0] == "seminar_signup" %> <% val = (seminar_signup.send("display_"+names[1]) rescue seminar_signup.send(names[1])) rescue nil %> <% elsif names[0] == "seminar_review_result" %> diff --git a/app/views/admin/seminar_signups/edit.html.erb b/app/views/admin/seminar_signups/edit.html.erb index 0e50a48..93a2955 100644 --- a/app/views/admin/seminar_signups/edit.html.erb +++ b/app/views/admin/seminar_signups/edit.html.erb @@ -163,14 +163,6 @@ <%= f.email_field :email, :class=>"input-block-level", :placeholder=> t(:email), :required => true %> check mail - -
- -
- <%= f.text_field :password, :class=>"input-block-level", :placeholder=> t('seminar_signup.password') %> - <%= t('seminar_signup.password_message') %> -
-
<% end %> <% @form_index = 0 %> diff --git a/app/views/admin/seminars/_form.html.erb b/app/views/admin/seminars/_form.html.erb index 99172a4..b026be9 100644 --- a/app/views/admin/seminars/_form.html.erb +++ b/app/views/admin/seminars/_form.html.erb @@ -185,20 +185,20 @@ <%= t("seminar_signup.#{attr_signup.field_name}") %> - <%= show_set_field(attr_signup,'seminar_signup_field_sets',signup_index,'name') %> + <%= show_set_field(attr_signup,'seminar_signup_field_sets_attributes',signup_index,'name') %> - <%= show_set_field(attr_signup,'seminar_signup_field_sets',signup_index,'placeholder') %> + <%= show_set_field(attr_signup,'seminar_signup_field_sets_attributes',signup_index,'placeholder') %> - - - <%= check_box_tag("seminar_main[seminar_signup_field_sets][#{signup_index}][disabled]", true ,attr_signup.disabled) %> + + + <%= check_box_tag("seminar_main[seminar_signup_field_sets_attributes][#{signup_index}][disabled]", true ,attr_signup.disabled) %> <% if attr_signup.field_name != 'recaptcha' %> - - <%= check_box_tag("seminar_main[seminar_signup_field_sets][#{signup_index}][hidden]", true ,attr_signup.hidden) %> + + <%= check_box_tag("seminar_main[seminar_signup_field_sets_attributes][#{signup_index}][hidden]", true ,attr_signup.hidden) %> <% end %> @@ -224,19 +224,19 @@ <%= t("seminar_signup.#{attr_signup.field_name}") %> - <%= show_set_field(attr_signup,'seminar_submission_field_sets',submission_index,'name') %> + <%= show_set_field(attr_signup,'seminar_submission_field_sets_attributes',submission_index,'name') %> - <%= show_set_field(attr_signup,'seminar_submission_field_sets',submission_index,'placeholder') %> + <%= show_set_field(attr_signup,'seminar_submission_field_sets_attributes',submission_index,'placeholder') %> - - - <%= check_box_tag("seminar_main[seminar_submission_field_sets][#{submission_index}][disabled]", true ,attr_signup.disabled) %> + + + <%= check_box_tag("seminar_main[seminar_submission_field_sets_attributes][#{submission_index}][disabled]", true ,attr_signup.disabled) %> - - <%= check_box_tag("seminar_main[seminar_submission_field_sets][#{submission_index}][hidden]", true ,attr_signup.hidden) %> + + <%= check_box_tag("seminar_main[seminar_submission_field_sets_attributes][#{submission_index}][hidden]", true ,attr_signup.hidden) %> <% end %> @@ -282,13 +282,13 @@ <%= seminar_signup_field.title rescue '' %> - - <%= check_box_tag("seminar_main[seminar_signup_field_customs][#{custom_index}][hidden]", true ,attr_custom.hidden) %> + + <%= check_box_tag("seminar_main[seminar_signup_field_customs_attributes][#{custom_index}][hidden]", true ,attr_custom.hidden) %> <% if !attr_custom.new_record? %> - + <% elsif f.object.copy_id.present? %> - + <% end %> <% end %> diff --git a/app/views/admin/seminars/_get_display_fields.html.erb b/app/views/admin/seminars/_get_display_fields.html.erb index 88f212e..35cc0f4 100644 --- a/app/views/admin/seminars/_get_display_fields.html.erb +++ b/app/views/admin/seminars/_get_display_fields.html.erb @@ -11,9 +11,15 @@ <% if @seminar.present? %> <% if @seminar.seminar_signup_field_sets.count != 0 %> <% @seminar.seminar_signup_field_sets.each do |field_set| %> - <% next if field_set.field_name == "password" %> - <% default_hidden << "seminar_signup_field_set.#{field_set.field_name}" if (field_set.hidden) %> - <% @field_names << "seminar_signup_field_set.#{field_set.field_name}" %> + <% + field_name = field_set.field_name + if SeminarMain::ExceptFieldSetDisplays.include?(field_name) + default_hidden << "seminar_signup_field_set.#{field_name}" + next + end + %> + <% default_hidden << "seminar_signup_field_set.#{field_name}" if (field_set.hidden) %> + <% @field_names << "seminar_signup_field_set.#{field_name}" %> <% @field_name_translations << field_set.name[I18n.locale] %> <% end %> <% else %> @@ -22,15 +28,11 @@ <% @field_name_translations << t(th) %> <% end %> <% end %> - <% if false #@seminar.seminar_signup_field_customs.count != 0 %> + <% if @seminar.seminar_signup_field_customs.count != 0 %> <% @seminar.seminar_signup_field_customs.each do |field_set| %> <% s = SeminarSignupField.where(id:field_set.seminar_signup_field_id).first %> - <% title = s.title rescue '' %> - <% next if title.blank? %> <% next if s.key.blank? %> <% default_hidden << "seminar_signup_field_custom.#{s.key}" if (field_set.hidden) %> - <% @field_names << "seminar_signup_field_custom.#{s.key}" %> - <% @field_name_translations << (title)%> <% end %> <% end %> <% @seminar.seminar_signup_fields.each do |s| %> @@ -71,6 +73,8 @@ <% @display_field = @seminar_signup_admin_setting.display_field rescue [] %> <% if @display_field.blank? @display_field = @field_names - default_hidden + else + @display_field = @display_field - SeminarMain::ExceptFieldSetDisplays.map{|f| "seminar_signup_field_set.#{f}"} end %> <% if @enable_review_result @field_names.insert(1,"seminar_review_result.review") @@ -92,9 +96,12 @@ <% seminar_signup_field_sets = SeminarSignupFieldSet.all.uniq{|s| s.field_name} %> <% if seminar_signup_field_sets.count != 0 %> <% seminar_signup_field_sets.each do |field_set| %> - <% next if field_set.field_name == "password" %> - <% default_show << "seminar_signup_field_set.#{field_set.field_name}" if !(field_set.hidden) %> - <% @field_names << "seminar_signup_field_set.#{field_set.field_name}" %> + <% + field_name = field_set.field_name + next if SeminarMain::ExceptFieldSetDisplays.include?(field_name) + %> + <% default_show << "seminar_signup_field_set.#{field_name}" if !(field_set.hidden) %> + <% @field_names << "seminar_signup_field_set.#{field_name}" %> <% @field_name_translations << field_set.name[I18n.locale] %> <% end %> <% else %> @@ -104,13 +111,10 @@ <% end %> <% end %> <% seminar_signup_field_customs = SeminarSignupFieldCustom.all.map{|field_set| SeminarSignupField.where(id: field_set.seminar_signup_field_id).first}.select{|s| !s.nil?}.uniq{|s| s.key } %> - <% if false #seminar_signup_field_customs.count != 0 %> + <% if seminar_signup_field_customs.count != 0 %> <% seminar_signup_field_customs.each do |s| %> - <% title = s.title rescue '' %> - <% next if title.blank? %> <% next if s.key.blank? %> - <% @field_names << "seminar_signup_field_custom.#{s.key}" %> - <% @field_name_translations << (title)%> + <% default_hidden << "seminar_signup_field_custom.#{s.key}" if (field_set.hidden) %> <% end %> <% end %> <% seminar_signup_fields = SeminarSignupField.all.uniq{|s| s.key} %> @@ -141,6 +145,8 @@ <% @display_field = @seminar_signup_admin_setting.display_field %> <% @display_field.delete("seminar_signup_field_set.password") %> <% if @display_field.blank? - @display_field = default_show + @display_field = default_show - default_hidden + else + @display_field = @display_field - SeminarMain::ExceptFieldSetDisplays.map{|f| "seminar_signup_field_set.#{f}"} end %> <% end %> \ No newline at end of file diff --git a/app/views/admin/seminars/_seminar_signup_render_table.html.erb b/app/views/admin/seminars/_seminar_signup_render_table.html.erb index 9cbe1c3..5db3753 100644 --- a/app/views/admin/seminars/_seminar_signup_render_table.html.erb +++ b/app/views/admin/seminars/_seminar_signup_render_table.html.erb @@ -81,7 +81,7 @@ <% val = t("seminar.registration_status_#{seminar_signup.status}") if !seminar_signup.status.blank? %> <% end %> <% elsif names[0] == "seminar_signup_field_custom" || names[0] == "seminar_signup_fields" %> - <% val = seminar_signup.seminar_signup_values.where(:key=>names[1]).first.get_value_by_locale(I18n.locale) rescue "" %> + <% val = html_escape(seminar_signup.seminar_signup_values.where(:key=>names[1]).first.get_value_by_locale(I18n.locale)).gsub(/(\r\n|\n)/,"
") rescue "" %> <% elsif names[0] == "seminar_signup_contributes" %> <% if names[1] == "file" %> <% val = seminar_signup_contributes %> @@ -103,16 +103,17 @@ <% end %> <% end %> <% elsif names[0] == "seminar_submission_fields" %> - <% val = seminar_signup_contributes.collect{|s| (s.seminar_submission_values.where(:key=>names[1]).first.get_value_by_locale(I18n.locale) rescue "")} %> <% seminar_submission_field = seminar_signup.seminar_main.seminar_submission_fields.where(:key=>names[1]).first %> - <% if seminar_submission_field && seminar_submission_field.markup == "seminar_preferred_session" - val = seminar_signup_contributes.collect{|s| - seminar_submission_value = s.seminar_submission_values.where(:key=>names[1]).first - "#{(seminar_submission_value.get_value_by_locale(I18n.locale) rescue "")}"} - edit_urls[i] = [] - seminar_submission_values = seminar_signup_contributes.collect{|s| s.seminar_submission_values.where(:key=>names[1]).first } - edit_urls[i] = seminar_submission_values.map{|seminar_submission_value| edit_admin_seminar_submission_value_path(seminar_submission_value.id) rescue "#"} - end %> + <% if seminar_submission_field && seminar_submission_field.markup == "seminar_preferred_session" + val = seminar_signup_contributes.collect{|s| + seminar_submission_value = s.seminar_submission_values.where(:key=>names[1]).first + "#{(html_escape(seminar_submission_value.get_value_by_locale(I18n.locale)).gsub(/(\r\n|\n)/,"
") rescue "")}
"} + edit_urls[i] = [] + seminar_submission_values = seminar_signup_contributes.collect{|s| s.seminar_submission_values.where(:key=>names[1]).first } + edit_urls[i] = seminar_submission_values.map{|seminar_submission_value| edit_admin_seminar_submission_value_path(seminar_submission_value.id) rescue nil} + else + val = seminar_signup_contributes.collect{|s| (html_escape(s.seminar_submission_values.where(:key=>names[1]).first.get_value_by_locale(I18n.locale)).gsub(/(\r\n|\n)/,"
") rescue "")} + end %> <% elsif names[0] == "seminar_signup" %> <% val = (seminar_signup.send("display_"+names[1]) rescue seminar_signup.send(names[1])) rescue nil %> <% elsif names[0] == "seminar_review_result" %> diff --git a/app/views/seminars/con_login.html.erb b/app/views/seminars/con_login.html.erb index 58568b2..7125135 100644 --- a/app/views/seminars/con_login.html.erb +++ b/app/views/seminars/con_login.html.erb @@ -4,7 +4,11 @@ @seminar = data["seminar"] @time_now = data["time_now"] %> - + <% if (@seminar.contribute_start_date <= @time_now && (@seminar.contribute_end_date.nil? or @seminar.contribute_end_date+1 >= @time_now ) rescue false) %>