Fix remote code execution exploit

2015-09-01 18:44:31 +05:30 · 2015-09-01 18:44:31 +05:30 · 5d3d3a68e7
parent 419b578956
commit 5d3d3a68e7
1 changed files with 15 additions and 6 deletions
--- a/app/controllers/ajax/report_controller.rb
+++ b/app/controllers/ajax/report_controller.rb
@ -5,7 +5,7 @@ class Ajax::ReportController < ApplicationController
    @success = false
    render partial: "ajax/shared/status"
  end
-  
+
  def create
    params.require :id
    params.require :type
@ -23,11 +23,20 @@ class Ajax::ReportController < ApplicationController
      return
    end

-    object = if params[:type] == 'user'
-               User.find_by_screen_name params[:id]
-             else
-               params[:type].strip.capitalize.constantize.find params[:id]
-             end
+    obj = params[:type].strip.capitalize
+
+    object = case params[:type].strip.capitalize
+      when 'User'
+        User.find_by_screen_name params[:id]
+      when 'Question'
+        Question
+      when 'Answer'
+        Answer
+      when 'Comment'
+        Comment
+      else
+        Answer
+      end

    if object.nil?
      @message = I18n.t('messages.report.create.not_found', parameter: params[:type])