Fix remote code execution exploit

This commit is contained in:
Yuki 2015-09-01 18:44:31 +05:30
parent 419b578956
commit 5d3d3a68e7
1 changed files with 15 additions and 6 deletions

View File

@ -23,11 +23,20 @@ class Ajax::ReportController < ApplicationController
return return
end end
object = if params[:type] == 'user' obj = params[:type].strip.capitalize
User.find_by_screen_name params[:id]
else object = case params[:type].strip.capitalize
params[:type].strip.capitalize.constantize.find params[:id] when 'User'
end User.find_by_screen_name params[:id]
when 'Question'
Question
when 'Answer'
Answer
when 'Comment'
Comment
else
Answer
end
if object.nil? if object.nil?
@message = I18n.t('messages.report.create.not_found', parameter: params[:type]) @message = I18n.t('messages.report.create.not_found', parameter: params[:type])