saurabh
/
announcement-test
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix vulnerability

This commit is contained in:
chiu 2021-08-04 20:05:15 +08:00
parent 34b74ff308
commit 6f14f00478
1 changed files with 1 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
app/controllers/announcements_controller.rb
View File

@ -497,6 +497,7 @@ class AnnouncementsController < ApplicationController
end end
def get_file def get_file
@url = request.path @url = request.path
render :text => "Path not allow",:status => 404 if @url.match(/\/\.\./)
begin begin
file = BulletinFile.find(params[:id]) file = BulletinFile.find(params[:id])
if File.basename(file.file.path) != URI.decode(params[:f_name]) if File.basename(file.file.path) != URI.decode(params[:f_name])