Fix remote code execution exploit
This commit is contained in:
parent
419b578956
commit
5d3d3a68e7
|
@ -23,11 +23,20 @@ class Ajax::ReportController < ApplicationController
|
||||||
return
|
return
|
||||||
end
|
end
|
||||||
|
|
||||||
object = if params[:type] == 'user'
|
obj = params[:type].strip.capitalize
|
||||||
User.find_by_screen_name params[:id]
|
|
||||||
else
|
object = case params[:type].strip.capitalize
|
||||||
params[:type].strip.capitalize.constantize.find params[:id]
|
when 'User'
|
||||||
end
|
User.find_by_screen_name params[:id]
|
||||||
|
when 'Question'
|
||||||
|
Question
|
||||||
|
when 'Answer'
|
||||||
|
Answer
|
||||||
|
when 'Comment'
|
||||||
|
Comment
|
||||||
|
else
|
||||||
|
Answer
|
||||||
|
end
|
||||||
|
|
||||||
if object.nil?
|
if object.nil?
|
||||||
@message = I18n.t('messages.report.create.not_found', parameter: params[:type])
|
@message = I18n.t('messages.report.create.not_found', parameter: params[:type])
|
||||||
|
|
Loading…
Reference in New Issue