Fix remote code execution exploit

This commit is contained in:
Yuki 2015-09-01 18:44:31 +05:30
parent 419b578956
commit 5d3d3a68e7
1 changed files with 15 additions and 6 deletions

View File

@ -23,10 +23,19 @@ class Ajax::ReportController < ApplicationController
return return
end end
object = if params[:type] == 'user' obj = params[:type].strip.capitalize
object = case params[:type].strip.capitalize
when 'User'
User.find_by_screen_name params[:id] User.find_by_screen_name params[:id]
when 'Question'
Question
when 'Answer'
Answer
when 'Comment'
Comment
else else
params[:type].strip.capitalize.constantize.find params[:id] Answer
end end
if object.nil? if object.nil?