fix vulnerability

This commit is contained in:
chiu 2021-08-04 20:05:15 +08:00
parent 34b74ff308
commit 6f14f00478
1 changed files with 1 additions and 0 deletions

View File

@ -497,6 +497,7 @@ class AnnouncementsController < ApplicationController
end
def get_file
@url = request.path
render :text => "Path not allow",:status => 404 if @url.match(/\/\.\./)
begin
file = BulletinFile.find(params[:id])
if File.basename(file.file.path) != URI.decode(params[:f_name])