Fix vulnerable.
This commit is contained in:
BoHung Chiu 2022-10-22 18:43:36 +08:00
parent 1100e57961
commit 8ee0655923
10 changed files with 84 additions and 87 deletions

View File

@ -436,16 +436,18 @@ class Admin::SeminarsController < OrbitAdminController
end
end
seminar_main_params = seminar_params
seminar_signup_set_params = seminar_main_params['seminar_signup_field_sets']
seminar_submission_set_params = seminar_main_params['seminar_submission_field_sets']
seminar_email_sets_params = seminar_main_params['seminar_email_sets']
seminar_signup_field_customs_params = seminar_main_params["seminar_signup_field_customs"].to_h rescue {}
seminar_main_params["seminar_signup_field_customs"].to_h.each do |k,v|
if seminar.copy_id
seminar_signup_set_params = seminar_main_params['seminar_signup_field_sets_attributes']
seminar_submission_set_params = seminar_main_params['seminar_submission_field_sets_attributes']
seminar_email_sets_params = seminar_main_params['seminar_email_sets_attributes']
seminar_signup_field_customs_params = seminar_main_params["seminar_signup_field_customs_attributes"].to_h rescue {}
seminar_signup_field_customs_params.each do |k,v|
v.delete "title"
end
seminar_main_params.delete(:seminar_signup_field_sets)
seminar_main_params.delete(:seminar_submission_field_sets)
seminar_main_params.delete(:seminar_email_sets)
seminar_main_params.delete(:seminar_signup_field_sets_attributes)
seminar_main_params.delete(:seminar_submission_field_sets_attributes)
seminar_main_params.delete(:seminar_email_sets_attributes)
end
seminar = SeminarMain.new(seminar_main_params)
seminar.create_user_id = current_user.id
seminar.update_user_id = current_user.id
@ -466,16 +468,6 @@ class Admin::SeminarsController < OrbitAdminController
seminar_signup_field_customs_params.each_with_index do |(key,value),i|
seminar.seminar_signup_field_customs[i].update(:seminar_signup_field_id => seminar.seminar_signup_fields.where(:title=>value["title"]).first.id) rescue nil
end
else
seminar_signup_set_params.each do |key,value|
seminar.seminar_signup_field_sets.create(value)
end
seminar_submission_set_params.each do |key,value|
seminar.seminar_submission_field_sets.create(value)
end
seminar_email_sets_params.each do |key,value|
seminar.seminar_email_sets.create(value)
end
end
redirect_to params['referer_url']

View File

@ -446,7 +446,7 @@ class SeminarsController < ApplicationController
status_param = ''
send_mail('signup',params[:seminar_signup][:email],params[:seminar_signup][:seminar_main_id],extra_text)
end
redirect_to "#{params[:referer_url]}/?method=signup_ok#{status_param}&serial_number=#{@seminar_signup.display_serial_number}"
redirect_to "#{params[:referer_url].to_s.chomp('/')}/?method=signup_ok#{status_param}&serial_number=#{@seminar_signup.display_serial_number}"
else
if !@signup.blank?
redirect_to "#{params[:referer_url]}", :notice => 'mail已存在'
@ -532,7 +532,7 @@ class SeminarsController < ApplicationController
end
@seminar.unassigned_seminar_signup_ids = unassigned_seminar_signup_ids
@seminar.save
redirect_to "#{params[:referer_url]}/?method=con_upload"
redirect_to "#{params[:referer_url].to_s.chomp('/')}/?method=con_upload"
else
redirect_to "#{params[:referer_url]}", :notice => t('recaptcha.errors.verification_failed')
end
@ -582,7 +582,7 @@ class SeminarsController < ApplicationController
end
@seminar.unassigned_seminar_signup_ids = unassigned_seminar_signup_ids
@seminar.save
redirect_to "#{params[:referer_url]}/?method=con_upload"
redirect_to "#{params[:referer_url].to_s.chomp('/')}/?method=con_upload"
else
redirect_to "#{params[:referer_url]}", :notice => t('recaptcha.errors.verification_failed')
end
@ -607,7 +607,7 @@ class SeminarsController < ApplicationController
end
@seminar.unassigned_seminar_signup_ids = unassigned_seminar_signup_ids
@seminar.save
redirect_to "#{params[:referer_url]}/?method=con_upload"
redirect_to "#{params[:referer_url].to_s.chomp('/')}/?method=con_upload"
end
@ -711,9 +711,9 @@ class SeminarsController < ApplicationController
session[:seminar_signup_id] = @seminar_signup.id
session[:seminar_main_id] = @seminar_signup.seminar_main_id
redirect_to "#{params[:referer_url]}/?method=con_upload"
redirect_to "#{params[:referer_url].to_s.chomp('/')}/?method=con_upload"
else
redirect_to "#{params[:referer_url]}/?method=con_login", :notice => '登入失敗'
redirect_to "#{params[:referer_url].to_s.chomp('/')}/?method=con_login", :notice => '登入失敗'
end
end

View File

@ -8,6 +8,7 @@ class SeminarMain
include OrbitCategory::Categorizable
include Slug
ChoiceTypes = ["checkbox","radio","select"]
ExceptFieldSetDisplays = ["password", "recaptcha"]
field :annc_count, :type => Integer, :default => 0
field :album_count, :type => Integer, :default => 0
field :copy_id

View File

@ -3,7 +3,7 @@ class SeminarSignup
include Mongoid::Document
include Mongoid::Timestamps
HiddenFields = ['seminar_signup_id','_id', 'created_at', 'updated_at','seminar_main_id',"serial_number","final_session","final_sessions","preferred_sessions",'seminar_session_id',"seminar_session_ids","preferred_session","sort_number","abstract_number","presentation_type"]
HiddenFields = ['seminar_signup_id','_id', 'created_at', 'updated_at','seminar_main_id',"serial_number","final_session","final_sessions","preferred_sessions",'seminar_session_id',"seminar_session_ids","preferred_session","sort_number","abstract_number","presentation_type", "filename"]
DefaultEnableFields = ['status','name','tel','phone','email','password','recaptcha']
field :sort_number , type: Integer, default: 10000

View File

@ -42,7 +42,7 @@
<% val = t("seminar.registration_status_#{seminar_signup.status}") if !seminar_signup.status.blank? %>
<% end %>
<% elsif names[0] == "seminar_signup_field_custom" || names[0] == "seminar_signup_fields" %>
<% val = seminar_signup.seminar_signup_values.where(:key=>names[1]).first.get_value_by_locale(I18n.locale) rescue "" %>
<% val = html_escape(seminar_signup.seminar_signup_values.where(:key=>names[1]).first.get_value_by_locale(I18n.locale)).gsub(/(\r\n|\n)/,"<br>") rescue "" %>
<% elsif names[0] == "seminar_signup_contributes" %>
<% if names[1] == "file" %>
<% seminar_signup_contribute = @seminar_signup_contribute %>
@ -69,7 +69,7 @@
<% else %>
<% file_content = File.read(file_path) rescue "" %>
<% if file_content.is_utf8? %>
<% file_content = file_content.gsub(/(\r\n|\n)/,"<br>")%>
<% file_content = html_escape(file_content).gsub(/(\r\n|\n)/,"<br>") %>
<% val = "<div class=\"text_wrap\"><a class=\"pull-right\" href=\"#{file_url}\" title=\"#{t(:download)}\" download=\"#{filename}\">#{t(:download)}</a><div style=\"clear: both;\"></div><h4>#{file_title}</h4>#{file_content}</div>"%>
<% else %>
<% val = link_to( file_title, file_url , {:target => '_blank', :title => Nokogiri::HTML(description.gsub("<br>"," , ")).text, :download=>filename} ) if seminar_signup_contribute.file.file %>
@ -91,11 +91,12 @@
<% end %>
<% end %>
<% elsif names[0] == "seminar_submission_fields" %>
<% val = @seminar_signup_contribute.seminar_submission_values.where(:key=>names[1]).first.get_value_by_locale(I18n.locale) rescue "" %>
<% seminar_submission_field = seminar_signup.seminar_main.seminar_submission_fields.where(:key=>names[1]).first %>
<% if seminar_submission_field && seminar_submission_field.markup == "seminar_preferred_session"
seminar_submission_value = @seminar_signup_contribute.seminar_submission_values.where(:key=>names[1]).first
val = "<span data-id=\"#{seminar_submission_value.id rescue ''}\">#{(seminar_submission_value.get_value_by_locale(I18n.locale) rescue "")}</span>"
val = "<span data-id=\"#{seminar_submission_value.id rescue ''}\">#{(html_escape(seminar_submission_value.get_value_by_locale(I18n.locale)).gsub(/(\r\n|\n)/,"<br>") rescue "")}</span>"
else
val = html_escape(@seminar_signup_contribute.seminar_submission_values.where(:key=>names[1]).first.get_value_by_locale(I18n.locale)).gsub(/(\r\n|\n)/,"<br>") rescue ""
end %>
<% elsif names[0] == "seminar_signup" %>
<% val = (seminar_signup.send("display_"+names[1]) rescue seminar_signup.send(names[1])) rescue nil %>

View File

@ -164,14 +164,6 @@
</div>
</div>
<div class="control-group <%= @seminar.registration_status[0] == 'C' ? '' : 'hide' %>" id="registration_status">
<label for="password" class="control-label muted">*<%= t('seminar_signup.password') %></label>
<div class="controls">
<%= f.text_field :password, :class=>"input-block-level", :placeholder=> t('seminar_signup.password') %>
<%= t('seminar_signup.password_message') %>
</div>
</div>
<% end %>
<% @form_index = 0 %>
<% @seminar.seminar_signup_fields.asc(:_id).each do |rf| %>

View File

@ -185,20 +185,20 @@
<%= t("seminar_signup.#{attr_signup.field_name}") %>
</td>
<td>
<%= show_set_field(attr_signup,'seminar_signup_field_sets',signup_index,'name') %>
<%= show_set_field(attr_signup,'seminar_signup_field_sets_attributes',signup_index,'name') %>
</td>
<td>
<%= show_set_field(attr_signup,'seminar_signup_field_sets',signup_index,'placeholder') %>
<%= show_set_field(attr_signup,'seminar_signup_field_sets_attributes',signup_index,'placeholder') %>
</td>
<td>
<input type="hidden" class="field_name" name='<%= "seminar_main[seminar_signup_field_sets][#{signup_index}][field_name]" %>' value="<%= attr_signup.field_name %>">
<input type="hidden" class="field_set" name='<%= "seminar_main[seminar_signup_field_sets][#{signup_index}][disabled]" %>' value="false">
<%= check_box_tag("seminar_main[seminar_signup_field_sets][#{signup_index}][disabled]", true ,attr_signup.disabled) %>
<input type="hidden" class="field_name" name='<%= "seminar_main[seminar_signup_field_sets_attributes][#{signup_index}][field_name]" %>' value="<%= attr_signup.field_name %>">
<input type="hidden" class="field_set" name='<%= "seminar_main[seminar_signup_field_sets_attributes][#{signup_index}][disabled]" %>' value="false">
<%= check_box_tag("seminar_main[seminar_signup_field_sets_attributes][#{signup_index}][disabled]", true ,attr_signup.disabled) %>
</td>
<td>
<% if attr_signup.field_name != 'recaptcha' %>
<input type="hidden" class="field_set" name='<%= "seminar_main[seminar_signup_field_sets][#{signup_index}][hidden]" %>' value="false">
<%= check_box_tag("seminar_main[seminar_signup_field_sets][#{signup_index}][hidden]", true ,attr_signup.hidden) %>
<input type="hidden" class="field_set" name='<%= "seminar_main[seminar_signup_field_sets_attributes][#{signup_index}][hidden]" %>' value="false">
<%= check_box_tag("seminar_main[seminar_signup_field_sets_attributes][#{signup_index}][hidden]", true ,attr_signup.hidden) %>
<% end %>
</td>
</tr>
@ -224,19 +224,19 @@
<%= t("seminar_signup.#{attr_signup.field_name}") %>
</td>
<td>
<%= show_set_field(attr_signup,'seminar_submission_field_sets',submission_index,'name') %>
<%= show_set_field(attr_signup,'seminar_submission_field_sets_attributes',submission_index,'name') %>
</td>
<td>
<%= show_set_field(attr_signup,'seminar_submission_field_sets',submission_index,'placeholder') %>
<%= show_set_field(attr_signup,'seminar_submission_field_sets_attributes',submission_index,'placeholder') %>
</td>
<td>
<input type="hidden" class="field_name" name='<%= "seminar_main[seminar_submission_field_sets][#{submission_index}][field_name]" %>' value="<%= attr_signup.field_name %>">
<input type="hidden" class="field_set" name='<%= "seminar_main[seminar_submission_field_sets][#{submission_index}][disabled]" %>' value="false">
<%= check_box_tag("seminar_main[seminar_submission_field_sets][#{submission_index}][disabled]", true ,attr_signup.disabled) %>
<input type="hidden" class="field_name" name='<%= "seminar_main[seminar_submission_field_sets_attributes][#{submission_index}][field_name]" %>' value="<%= attr_signup.field_name %>">
<input type="hidden" class="field_set" name='<%= "seminar_main[seminar_submission_field_sets_attributes][#{submission_index}][disabled]" %>' value="false">
<%= check_box_tag("seminar_main[seminar_submission_field_sets_attributes][#{submission_index}][disabled]", true ,attr_signup.disabled) %>
</td>
<td>
<input type="hidden" class="field_set" name='<%= "seminar_main[seminar_submission_field_sets][#{submission_index}][hidden]" %>' value="false">
<%= check_box_tag("seminar_main[seminar_submission_field_sets][#{submission_index}][hidden]", true ,attr_signup.hidden) %>
<input type="hidden" class="field_set" name='<%= "seminar_main[seminar_submission_field_sets_attributes][#{submission_index}][hidden]" %>' value="false">
<%= check_box_tag("seminar_main[seminar_submission_field_sets_attributes][#{submission_index}][hidden]", true ,attr_signup.hidden) %>
</td>
</tr>
<% end %>
@ -282,13 +282,13 @@
<%= seminar_signup_field.title rescue '' %>
</td>
<td>
<input type="hidden" class="field_set" name='<%= "seminar_main[seminar_signup_field_customs][#{custom_index}][hidden]" %>' value="false">
<%= check_box_tag("seminar_main[seminar_signup_field_customs][#{custom_index}][hidden]", true ,attr_custom.hidden) %>
<input type="hidden" class="field_set" name='<%= "seminar_main[seminar_signup_field_customs_attributes][#{custom_index}][hidden]" %>' value="false">
<%= check_box_tag("seminar_main[seminar_signup_field_customs_attributes][#{custom_index}][hidden]", true ,attr_custom.hidden) %>
</td>
<% if !attr_custom.new_record? %>
<input for="field_0" id="seminar_main_seminar_signup_field_customs_<%= custom_index.to_s %>_id" name="seminar_main[seminar_signup_field_customs][<%= custom_index.to_s %>][id]" type="hidden" value="<%= attr_custom.id.to_s %>">
<input for="field_0" id="seminar_main_seminar_signup_field_customs_attributes_<%= custom_index.to_s %>_id" name="seminar_main[seminar_signup_field_customs_attributes][<%= custom_index.to_s %>][id]" type="hidden" value="<%= attr_custom.id.to_s %>">
<% elsif f.object.copy_id.present? %>
<input name="seminar_main[seminar_signup_field_customs][<%= custom_index.to_s %>][title]" type="hidden" value="<%= attr_custom.seminar_signup_field.title.to_s %>">
<input name="seminar_main[seminar_signup_field_customs_attributes][<%= custom_index.to_s %>][title]" type="hidden" value="<%= attr_custom.seminar_signup_field.title.to_s %>">
<% end %>
</tr>
<% end %>

View File

@ -11,9 +11,15 @@
<% if @seminar.present? %>
<% if @seminar.seminar_signup_field_sets.count != 0 %>
<% @seminar.seminar_signup_field_sets.each do |field_set| %>
<% next if field_set.field_name == "password" %>
<% default_hidden << "seminar_signup_field_set.#{field_set.field_name}" if (field_set.hidden) %>
<% @field_names << "seminar_signup_field_set.#{field_set.field_name}" %>
<%
field_name = field_set.field_name
if SeminarMain::ExceptFieldSetDisplays.include?(field_name)
default_hidden << "seminar_signup_field_set.#{field_name}"
next
end
%>
<% default_hidden << "seminar_signup_field_set.#{field_name}" if (field_set.hidden) %>
<% @field_names << "seminar_signup_field_set.#{field_name}" %>
<% @field_name_translations << field_set.name[I18n.locale] %>
<% end %>
<% else %>
@ -22,15 +28,11 @@
<% @field_name_translations << t(th) %>
<% end %>
<% end %>
<% if false #@seminar.seminar_signup_field_customs.count != 0 %>
<% if @seminar.seminar_signup_field_customs.count != 0 %>
<% @seminar.seminar_signup_field_customs.each do |field_set| %>
<% s = SeminarSignupField.where(id:field_set.seminar_signup_field_id).first %>
<% title = s.title rescue '' %>
<% next if title.blank? %>
<% next if s.key.blank? %>
<% default_hidden << "seminar_signup_field_custom.#{s.key}" if (field_set.hidden) %>
<% @field_names << "seminar_signup_field_custom.#{s.key}" %>
<% @field_name_translations << (title)%>
<% end %>
<% end %>
<% @seminar.seminar_signup_fields.each do |s| %>
@ -71,6 +73,8 @@
<% @display_field = @seminar_signup_admin_setting.display_field rescue [] %>
<% if @display_field.blank?
@display_field = @field_names - default_hidden
else
@display_field = @display_field - SeminarMain::ExceptFieldSetDisplays.map{|f| "seminar_signup_field_set.#{f}"}
end %>
<% if @enable_review_result
@field_names.insert(1,"seminar_review_result.review")
@ -92,9 +96,12 @@
<% seminar_signup_field_sets = SeminarSignupFieldSet.all.uniq{|s| s.field_name} %>
<% if seminar_signup_field_sets.count != 0 %>
<% seminar_signup_field_sets.each do |field_set| %>
<% next if field_set.field_name == "password" %>
<% default_show << "seminar_signup_field_set.#{field_set.field_name}" if !(field_set.hidden) %>
<% @field_names << "seminar_signup_field_set.#{field_set.field_name}" %>
<%
field_name = field_set.field_name
next if SeminarMain::ExceptFieldSetDisplays.include?(field_name)
%>
<% default_show << "seminar_signup_field_set.#{field_name}" if !(field_set.hidden) %>
<% @field_names << "seminar_signup_field_set.#{field_name}" %>
<% @field_name_translations << field_set.name[I18n.locale] %>
<% end %>
<% else %>
@ -104,13 +111,10 @@
<% end %>
<% end %>
<% seminar_signup_field_customs = SeminarSignupFieldCustom.all.map{|field_set| SeminarSignupField.where(id: field_set.seminar_signup_field_id).first}.select{|s| !s.nil?}.uniq{|s| s.key } %>
<% if false #seminar_signup_field_customs.count != 0 %>
<% if seminar_signup_field_customs.count != 0 %>
<% seminar_signup_field_customs.each do |s| %>
<% title = s.title rescue '' %>
<% next if title.blank? %>
<% next if s.key.blank? %>
<% @field_names << "seminar_signup_field_custom.#{s.key}" %>
<% @field_name_translations << (title)%>
<% default_hidden << "seminar_signup_field_custom.#{s.key}" if (field_set.hidden) %>
<% end %>
<% end %>
<% seminar_signup_fields = SeminarSignupField.all.uniq{|s| s.key} %>
@ -141,6 +145,8 @@
<% @display_field = @seminar_signup_admin_setting.display_field %>
<% @display_field.delete("seminar_signup_field_set.password") %>
<% if @display_field.blank?
@display_field = default_show
@display_field = default_show - default_hidden
else
@display_field = @display_field - SeminarMain::ExceptFieldSetDisplays.map{|f| "seminar_signup_field_set.#{f}"}
end %>
<% end %>

View File

@ -81,7 +81,7 @@
<% val = t("seminar.registration_status_#{seminar_signup.status}") if !seminar_signup.status.blank? %>
<% end %>
<% elsif names[0] == "seminar_signup_field_custom" || names[0] == "seminar_signup_fields" %>
<% val = seminar_signup.seminar_signup_values.where(:key=>names[1]).first.get_value_by_locale(I18n.locale) rescue "" %>
<% val = html_escape(seminar_signup.seminar_signup_values.where(:key=>names[1]).first.get_value_by_locale(I18n.locale)).gsub(/(\r\n|\n)/,"<br>") rescue "" %>
<% elsif names[0] == "seminar_signup_contributes" %>
<% if names[1] == "file" %>
<% val = seminar_signup_contributes %>
@ -103,15 +103,16 @@
<% end %>
<% end %>
<% elsif names[0] == "seminar_submission_fields" %>
<% val = seminar_signup_contributes.collect{|s| (s.seminar_submission_values.where(:key=>names[1]).first.get_value_by_locale(I18n.locale) rescue "")} %>
<% seminar_submission_field = seminar_signup.seminar_main.seminar_submission_fields.where(:key=>names[1]).first %>
<% if seminar_submission_field && seminar_submission_field.markup == "seminar_preferred_session"
val = seminar_signup_contributes.collect{|s|
seminar_submission_value = s.seminar_submission_values.where(:key=>names[1]).first
"<span data-id=\"#{seminar_submission_value.id rescue ''}\">#{(seminar_submission_value.get_value_by_locale(I18n.locale) rescue "")}</span>"}
"<span data-id=\"#{seminar_submission_value.id rescue ''}\">#{(html_escape(seminar_submission_value.get_value_by_locale(I18n.locale)).gsub(/(\r\n|\n)/,"<br>") rescue "")}</span>"}
edit_urls[i] = []
seminar_submission_values = seminar_signup_contributes.collect{|s| s.seminar_submission_values.where(:key=>names[1]).first }
edit_urls[i] = seminar_submission_values.map{|seminar_submission_value| edit_admin_seminar_submission_value_path(seminar_submission_value.id) rescue "#"}
edit_urls[i] = seminar_submission_values.map{|seminar_submission_value| edit_admin_seminar_submission_value_path(seminar_submission_value.id) rescue nil}
else
val = seminar_signup_contributes.collect{|s| (html_escape(s.seminar_submission_values.where(:key=>names[1]).first.get_value_by_locale(I18n.locale)).gsub(/(\r\n|\n)/,"<br>") rescue "")}
end %>
<% elsif names[0] == "seminar_signup" %>
<% val = (seminar_signup.send("display_"+names[1]) rescue seminar_signup.send(names[1])) rescue nil %>

View File

@ -4,7 +4,11 @@
@seminar = data["seminar"]
@time_now = data["time_now"]
%>
<style type="text/css">
.alert-error{
color: red;
}
</style>
<% if (@seminar.contribute_start_date <= @time_now && (@seminar.contribute_end_date.nil? or @seminar.contribute_end_date+1 >= @time_now ) rescue false) %>
<section id="main-wrap">