Fix vulnerable.

2022-10-24 16:09:44 +08:00 · 2022-10-24 16:09:44 +08:00 · 4dcb3b5b1d
parent 26e9ef8d43
commit 4dcb3b5b1d
2 changed files with 5 additions and 4 deletions
--- a/app/controllers/admin/patents_controller.rb
+++ b/app/controllers/admin/patents_controller.rb
@ -53,7 +53,7 @@ class Admin::PatentsController < OrbitMemberController
  end

  def new
-    @member = Array(MemberProfile.find_by(:uid=>params['uid'])) rescue nil
+    @member = Array(MemberProfile.find_by(:uid=>params['uid'].to_s)) rescue nil
    @patent = Patent.new

    if params[:desktop]
@ -203,7 +203,7 @@ class Admin::PatentsController < OrbitMemberController
  end

  def frontend_setting
-    @member = MemberProfile.find_by(:uid=>params['uid']) rescue nil
+    @member = MemberProfile.find_by(:uid=>params['uid'].to_s) rescue nil
    @intro = PatentIntro.find_by(:member_profile_id=>@member.id) rescue nil
    @intro = @intro.nil? ? PatentIntro.new({:member_profile_id=>@member.id}) : @intro
  end
--- a/app/controllers/personal_patents_controller.rb
+++ b/app/controllers/personal_patents_controller.rb
@ -95,7 +95,8 @@ class PersonalPatentsController < ApplicationController
    choice = choice.map { |value| value.inject :merge }
    select_text = t('personal_patent.search_class')
    search_text = t('personal_patent.word_to_search')
-    csrf_value = (0...46).map { ('a'..'z').to_a[rand(26)] }.join
+    @_request = OrbitHelper.request
+    csrf_value = form_authenticity_token
    {
      'patents' => patent_list,
      'extras' => { 'widget-title' => t('module_name.personal_patent'),
@ -112,7 +113,7 @@ class PersonalPatentsController < ApplicationController

  def show
    params = OrbitHelper.params
-    plugin = Patent.where(is_hidden: false).find_by(uid: params[:uid])
+    plugin = Patent.where(is_hidden: false).find_by(uid: params[:uid].to_s)
    fields_to_show = %w[
      patent_title
      patent_no