Fix vulnerable.

This commit is contained in:
BoHung Chiu 2022-11-01 21:07:41 +08:00
parent d150a698cd
commit 455523cb09
2 changed files with 9 additions and 9 deletions

View File

@ -112,8 +112,8 @@ class Admin::PatchfilesController < OrbitAdminController
@file = params["fontfile"]["font_file"] if params["fontfile"]["font_file"] != "" @file = params["fontfile"]["font_file"] if params["fontfile"]["font_file"] != ""
@file_path = Rails.root.to_s + '/app/assets/fonts' @file_path = Rails.root.to_s + '/app/assets/fonts'
if @file.nil? != true if !@file.nil?
@file_name = @file.original_filename @file_name = File.basename(@file.original_filename)
@file_content = @file.read @file_content = @file.read
@file_content.force_encoding('UTF-8') @file_content.force_encoding('UTF-8')
File.open("#{@file_path}/#{@file_name}","w+") do |f| File.open("#{@file_path}/#{@file_name}","w+") do |f|

View File

@ -707,8 +707,8 @@ module ApplicationHelper
plugin = OrbitApp::Plugin::Registration.find_by_module_app_name(page.module.classify) || OrbitApp::Plugin::Registration.find_by_module_app_name(page.module) plugin = OrbitApp::Plugin::Registration.find_by_module_app_name(page.module.classify) || OrbitApp::Plugin::Registration.find_by_module_app_name(page.module)
override_data = {'widget-title'=>plugin.name} override_data = {'widget-title'=>plugin.name}
end end
filename = overridehtml.nil? ? params[:layout_type].to_s.split('/').last : overridehtml filename = overridehtml.nil? ? File.basename(params[:layout_type]) : overridehtml
module_name = params[:target_controller].to_s.split('/').last.singularize module_name = File.basename(params[:target_controller]).singularize
f = File.join(Rails.root, 'app', 'templates', "#{@key}", 'modules', module_name, "#{filename}.html.erb") f = File.join(Rails.root, 'app', 'templates', "#{@key}", 'modules', module_name, "#{filename}.html.erb")
if !File.exists?f if !File.exists?f
f = File.join(Rails.root, 'app', 'templates', "#{@key}", 'modules', module_name, "index.html.erb") f = File.join(Rails.root, 'app', 'templates', "#{@key}", 'modules', module_name, "index.html.erb")
@ -768,8 +768,8 @@ module ApplicationHelper
return "<div class='well'>No content to show.</div>".html_safe return "<div class='well'>No content to show.</div>".html_safe
end end
else else
filename = overridehtml.nil? ? params[:target_action].to_s.split('/').last : overridehtml filename = overridehtml.nil? ? File.basename(params[:target_action]) : overridehtml
module_name = params[:target_controller].to_s.split('/').last.singularize module_name = File.basename(params[:target_controller]).singularize
f = File.join(Rails.root, 'app', 'templates', "#{@key}", 'modules', module_name, "#{filename}.html.erb") f = File.join(Rails.root, 'app', 'templates', "#{@key}", 'modules', module_name, "#{filename}.html.erb")
if File.exists?f if File.exists?f
file = File.open(f) file = File.open(f)
@ -1050,8 +1050,8 @@ module ApplicationHelper
end end
def write_debug_file(e,controller_name,action_name) def write_debug_file(e,controller_name,action_name)
controller_name = controller_name.to_s.split('/').last controller_name = File.basename(controller_name)
action_name = action_name.to_s.split('/').last action_name = File.basename(action_name)
url_dir_name = request.fullpath.split("?")[0] url_dir_name = request.fullpath.split("?")[0]
url_dir_name = URI.decode(url_dir_name) url_dir_name = URI.decode(url_dir_name)
url_dir_name = (url_dir_name == "/" ? "home" : url_dir_name.sub("/","").gsub("/","_").gsub("-","_").gsub(" ","_")) url_dir_name = (url_dir_name == "/" ? "home" : url_dir_name.sub("/","").gsub("/","_").gsub("-","_").gsub(" ","_"))