fix vulnerability

2021-08-24 14:33:33 +08:00 · 2021-08-24 14:33:33 +08:00 · ef669084a7
parent a801bafd79
commit ef669084a7
3 changed files with 19 additions and 10 deletions
--- a/app/controllers/asks_controller.rb
+++ b/app/controllers/asks_controller.rb
@ -9,6 +9,8 @@ class AsksController < ActionController::Base
    subpart = OrbitHelper.get_current_widget
    case subpart.widget_type
    when /.*_form/
+      read_more_page = Page.where(id: subpart.read_more_page_id).first || Page.where(:module => 'ask').first
+      referer_url = read_more_page ? "/#{I18n.locale}#{read_more_page.url}" : "/#{I18n.locale}/asks"
      module_app = ModuleApp.where(:key => "ask").first
      categories = Array(Category.find(OrbitHelper.widget_categories)) rescue ['all']
      categories = module_app.categories if categories.include? 'all'
@ -28,7 +30,7 @@ class AsksController < ActionController::Base
      request = OrbitHelper.request
      csrf_value = OrbitHelper.request.session[:_csrf_token] || SecureRandom.base64(32)
      token_tag = hidden_field_tag('authenticity_token',csrf_value)
-      switch_form = cal_switch_form(ask_settings,categories,token_tag)
+      switch_form = cal_switch_form(ask_settings,categories,token_tag,referer_url)
      {
        'fields' => defalt_fields,
        'extras'=>{
@ -36,7 +38,7 @@ class AsksController < ActionController::Base
                    'form_url' => "/#{I18n.locale.to_s}/asks",
                    'submit_tag' => submit_tag(t('submit'), :class=> 'btn btn-primary', :id => 'button-mail'),
                    'close_tag' => button_tag(t('cancel'), type: 'reset', :class=> 'btn'),
-                    'referer_url' => '',
+                    'referer_url' => referer_url,
                    'switch_form' => switch_form
                  }
      }
@ -99,6 +101,13 @@ class AsksController < ActionController::Base
  end
  def index
    @params = OrbitHelper.params
+    case ((@params['method'] rescue params['method']) rescue nil)
+    when 'thank'
+      render :thank and return {}
+    when 'sorry'
+      render :sorry and return {}
+    end
+    referer_url = OrbitHelper.request.fullpath
    if @params['item'].to_s.empty?
      get_layout_type
    else
@ -119,7 +128,7 @@ class AsksController < ActionController::Base
      end
      csrf_value = OrbitHelper.request.session[:_csrf_token] || SecureRandom.base64(32)
      token_tag = hidden_field_tag('authenticity_token',csrf_value)
-      switch_form = cal_switch_form(ask_settings,categories,token_tag)
+      switch_form = cal_switch_form(ask_settings,categories,token_tag,referer_url)
      tags = module_app.tags
      ask_question = AskQuestion.new
      {
@ -179,9 +188,9 @@ class AsksController < ActionController::Base
    if flag
      @ask_question.update_attributes(temp_params)
      build_email(@ask_question)
-      redirect_to "#{params[:referer_url]}/?method=thank"
+      redirect_to "#{params[:referer_url]}?method=thank"
    else
-      redirect_to "#{params[:referer_url]}/?method=sorry"
+      redirect_to "#{params[:referer_url]}?method=sorry"
    end
  end

@ -282,11 +291,10 @@ class AsksController < ActionController::Base
      end
      defalt_fields
    end
-    def cal_html(fields,token_tag,form_id)
+    def cal_html(fields,token_tag,form_id,referer_url)
      form_url = "/#{I18n.locale.to_s}/asks"
      submit_tag = submit_tag(t('submit'), :class=> 'btn btn-primary', :id => 'button-mail')
      close_tag = button_tag(t('cancel'), type: 'reset', :class=> 'btn')
-      referer_url = ''
      tmp = fields.collect do |field|
        style_html = field['style_html']
        label = field['label']
@ -347,7 +355,7 @@ class AsksController < ActionController::Base
        })
      </script>"
    end
-    def cal_switch_form(ask_settings,categories,token_tag)
+    def cal_switch_form(ask_settings,categories,token_tag,referer_url)
      switch_form = ''
      if ask_settings.count > 1
        switch_form = script_text + ask_settings.collect do |ask_setting|
@ -357,7 +365,7 @@ class AsksController < ActionController::Base
          else
            form_id = ask_setting.category_id
          end
-          cal_html(fields,token_tag,form_id)
+          cal_html(fields,token_tag,form_id,referer_url)
        end.join
      end
      switch_form
--- a/app/views/asks/index.html.erb
+++ b/app/views/asks/index.html.erb
@ -243,7 +243,7 @@
      </div>
    <% end %>
    <div class="form-actions">
-    	<input type="hidden" name="referer_url" value="<%= request.original_url.split(request.env["HTTP_HOST"]).last %>">
+    	<input type="hidden" name="referer_url" value="<%= request.fullpath %>">
      <%= f.submit t('submit'), class: 'btn btn-primary', :id => 'button-mail' %>
      <%= f.button t('cancel'), type: 'reset', class: 'btn' %>
    </div>
--- a/lib/ask/engine.rb
+++ b/lib/ask/engine.rb
@ -51,6 +51,7 @@ module Ask
      OrbitApp.registration "Ask", :type => "ModuleApp" do
        module_label "ask.ask"
        base_url File.expand_path File.dirname(__FILE__)
+        set_keyword_contstraints ['/asks']
        widget_methods ["widget"]
        widget_settings [{"data_count"=>10}]
        taggable "AskQuestion"