Fix vulnerable.

app/controllers/archives_controller.rb

@@ -5,14 +5,8 @@ class ArchivesController < ApplicationController
 	end
 	#avoid the categories to be not in the ArchiveCategory
 	def serve_cmap
-		file_name = params[:file_name].to_s
+		file_name = File.basename(params[:file_name].to_s)
-		if file_name.include?('/')
+		extension = File.basename(params[:extension].to_s)
-			file_name = file_name.split('/').last
-		end
-		extension = params[:extension].to_s
-		if extension.include?('/')
-			extension = extension.split('/').last
-		end
 		serve_path=File.expand_path("../../assets/javascripts/archive/pdf/bcmaps/#{file_name}.#{extension}",__FILE__)
 		if Dir.glob(serve_path).length != 0
 			send_file(serve_path, type: "application/octet-stream")
@@ -244,8 +238,8 @@ class ArchivesController < ApplicationController
 			@url = file.file.url
 			begin
 				@path = file.file.file.file rescue ""
-				@filename = @path.split("/").last
+				@filename = File.basename(@path)
-				@ext = @path.split("/").last.to_s.split(".").last
+				@ext = @filename.split(".").last
 				if @ext == "png" || @ext == "jpg" || @ext == "bmp" || @ext == "pdf"
 					render "download_file",:layout=>false
 				else