Merge pull request #48 from Retrospring/CVE-BREAKMAN1

CVE-BREAKMAN1
This commit is contained in:
Yuki 2015-09-01 18:54:39 +05:30
commit 85b099d712
4 changed files with 72 additions and 50 deletions

View File

@ -1,7 +1,7 @@
source 'https://rubygems.org' source 'https://rubygems.org'
source 'https://rails-assets.org' source 'https://rails-assets.org'
gem 'rails', '4.2.1' gem 'rails', '4.2.2'
gem 'rails-i18n' gem 'rails-i18n'
gem 'i18n-js' gem 'i18n-js'

View File

@ -9,43 +9,43 @@ GEM
remote: https://rails-assets.org/ remote: https://rails-assets.org/
specs: specs:
CFPropertyList (2.3.1) CFPropertyList (2.3.1)
actionmailer (4.2.1) actionmailer (4.2.2)
actionpack (= 4.2.1) actionpack (= 4.2.2)
actionview (= 4.2.1) actionview (= 4.2.2)
activejob (= 4.2.1) activejob (= 4.2.2)
mail (~> 2.5, >= 2.5.4) mail (~> 2.5, >= 2.5.4)
rails-dom-testing (~> 1.0, >= 1.0.5) rails-dom-testing (~> 1.0, >= 1.0.5)
actionpack (4.2.1) actionpack (4.2.2)
actionview (= 4.2.1) actionview (= 4.2.2)
activesupport (= 4.2.1) activesupport (= 4.2.2)
rack (~> 1.6) rack (~> 1.6)
rack-test (~> 0.6.2) rack-test (~> 0.6.2)
rails-dom-testing (~> 1.0, >= 1.0.5) rails-dom-testing (~> 1.0, >= 1.0.5)
rails-html-sanitizer (~> 1.0, >= 1.0.1) rails-html-sanitizer (~> 1.0, >= 1.0.1)
actionview (4.2.1) actionview (4.2.2)
activesupport (= 4.2.1) activesupport (= 4.2.2)
builder (~> 3.1) builder (~> 3.1)
erubis (~> 2.7.0) erubis (~> 2.7.0)
rails-dom-testing (~> 1.0, >= 1.0.5) rails-dom-testing (~> 1.0, >= 1.0.5)
rails-html-sanitizer (~> 1.0, >= 1.0.1) rails-html-sanitizer (~> 1.0, >= 1.0.1)
activejob (4.2.1) activejob (4.2.2)
activesupport (= 4.2.1) activesupport (= 4.2.2)
globalid (>= 0.3.0) globalid (>= 0.3.0)
activemodel (4.2.1) activemodel (4.2.2)
activesupport (= 4.2.1) activesupport (= 4.2.2)
builder (~> 3.1) builder (~> 3.1)
activerecord (4.2.1) activerecord (4.2.2)
activemodel (= 4.2.1) activemodel (= 4.2.2)
activesupport (= 4.2.1) activesupport (= 4.2.2)
arel (~> 6.0) arel (~> 6.0)
activesupport (4.2.1) activesupport (4.2.2)
i18n (~> 0.7) i18n (~> 0.7)
json (~> 1.7, >= 1.7.7) json (~> 1.7, >= 1.7.7)
minitest (~> 5.1) minitest (~> 5.1)
thread_safe (~> 0.3, >= 0.3.4) thread_safe (~> 0.3, >= 0.3.4)
tzinfo (~> 1.1) tzinfo (~> 1.1)
addressable (2.3.8) addressable (2.3.8)
arel (6.0.0) arel (6.0.3)
bcrypt (3.1.10) bcrypt (3.1.10)
better_errors (2.1.1) better_errors (2.1.1)
coderay (>= 1.0.0) coderay (>= 1.0.0)
@ -213,7 +213,7 @@ GEM
foreman (0.78.0) foreman (0.78.0)
thor (~> 0.19.1) thor (~> 0.19.1)
formatador (0.2.5) formatador (0.2.5)
globalid (0.3.5) globalid (0.3.6)
activesupport (>= 4.1.0) activesupport (>= 4.1.0)
haml (4.0.6) haml (4.0.6)
tilt tilt
@ -243,7 +243,7 @@ GEM
turbolinks turbolinks
jquery-ui-rails (5.0.3) jquery-ui-rails (5.0.3)
railties (>= 3.2.16) railties (>= 3.2.16)
json (1.8.2) json (1.8.3)
kaminari (0.16.3) kaminari (0.16.3)
actionpack (>= 3.0.0) actionpack (>= 3.0.0)
activesupport (>= 3.0.0) activesupport (>= 3.0.0)
@ -252,18 +252,18 @@ GEM
addressable (~> 2.3) addressable (~> 2.3)
letter_opener (1.4.1) letter_opener (1.4.1)
launchy (~> 2.2) launchy (~> 2.2)
loofah (2.0.1) loofah (2.0.3)
nokogiri (>= 1.5.9) nokogiri (>= 1.5.9)
mail (2.6.3) mail (2.6.3)
mime-types (>= 1.16, < 3) mime-types (>= 1.16, < 3)
memoizable (0.4.2) memoizable (0.4.2)
thread_safe (~> 0.3, >= 0.3.1) thread_safe (~> 0.3, >= 0.3.1)
mime-types (2.4.3) mime-types (2.6.1)
mini_portile (0.6.2) mini_portile (0.6.2)
minitest (5.6.0) minitest (5.8.0)
momentjs-rails (2.9.0) momentjs-rails (2.9.0)
railties (>= 3.1) railties (>= 3.1)
multi_json (1.11.0) multi_json (1.11.2)
multipart-post (2.0.0) multipart-post (2.0.0)
mysql2 (0.3.18) mysql2 (0.3.18)
naught (1.0.0) naught (1.0.0)
@ -302,7 +302,7 @@ GEM
cliver (~> 0.3.1) cliver (~> 0.3.1)
multi_json (~> 1.0) multi_json (~> 1.0)
websocket-driver (>= 0.2.0) websocket-driver (>= 0.2.0)
rack (1.6.0) rack (1.6.4)
rack-pjax (0.8.0) rack-pjax (0.8.0)
nokogiri (~> 1.5) nokogiri (~> 1.5)
rack (~> 1.1) rack (~> 1.1)
@ -310,23 +310,23 @@ GEM
rack rack
rack-test (0.6.3) rack-test (0.6.3)
rack (>= 1.0) rack (>= 1.0)
rails (4.2.1) rails (4.2.2)
actionmailer (= 4.2.1) actionmailer (= 4.2.2)
actionpack (= 4.2.1) actionpack (= 4.2.2)
actionview (= 4.2.1) actionview (= 4.2.2)
activejob (= 4.2.1) activejob (= 4.2.2)
activemodel (= 4.2.1) activemodel (= 4.2.2)
activerecord (= 4.2.1) activerecord (= 4.2.2)
activesupport (= 4.2.1) activesupport (= 4.2.2)
bundler (>= 1.3.0, < 2.0) bundler (>= 1.3.0, < 2.0)
railties (= 4.2.1) railties (= 4.2.2)
sprockets-rails sprockets-rails
rails-assets-growl (1.2.5) rails-assets-growl (1.2.5)
rails-assets-jquery rails-assets-jquery
rails-assets-jquery (2.1.3) rails-assets-jquery (2.1.3)
rails-deprecated_sanitizer (1.0.3) rails-deprecated_sanitizer (1.0.3)
activesupport (>= 4.2.0.alpha) activesupport (>= 4.2.0.alpha)
rails-dom-testing (1.0.6) rails-dom-testing (1.0.7)
activesupport (>= 4.2.0.beta, < 5.0) activesupport (>= 4.2.0.beta, < 5.0)
nokogiri (~> 1.6.0) nokogiri (~> 1.6.0)
rails-deprecated_sanitizer (>= 1.0.1) rails-deprecated_sanitizer (>= 1.0.1)
@ -349,9 +349,9 @@ GEM
remotipart (~> 1.0) remotipart (~> 1.0)
safe_yaml (~> 1.0) safe_yaml (~> 1.0)
sass-rails (>= 4.0, < 6) sass-rails (>= 4.0, < 6)
railties (4.2.1) railties (4.2.2)
actionpack (= 4.2.1) actionpack (= 4.2.2)
activesupport (= 4.2.1) activesupport (= 4.2.2)
rake (>= 0.8.7) rake (>= 0.8.7)
thor (>= 0.18.1, < 2.0) thor (>= 0.18.1, < 2.0)
raindrops (0.13.0) raindrops (0.13.0)
@ -420,12 +420,12 @@ GEM
rack-protection (~> 1.4) rack-protection (~> 1.4)
tilt (>= 1.3, < 3) tilt (>= 1.3, < 3)
spring (1.3.5) spring (1.3.5)
sprockets (2.12.3) sprockets (2.12.4)
hike (~> 1.2) hike (~> 1.2)
multi_json (~> 1.0) multi_json (~> 1.0)
rack (~> 1.0) rack (~> 1.0)
tilt (~> 1.1, != 1.3.0) tilt (~> 1.1, != 1.3.0)
sprockets-rails (2.2.4) sprockets-rails (2.3.2)
actionpack (>= 3.0) actionpack (>= 3.0)
activesupport (>= 3.0) activesupport (>= 3.0)
sprockets (>= 2.8, < 4.0) sprockets (>= 2.8, < 4.0)
@ -533,7 +533,7 @@ DEPENDENCIES
pghero pghero
poltergeist poltergeist
questiongenerator! questiongenerator!
rails (= 4.2.1) rails (= 4.2.2)
rails-assets-growl rails-assets-growl
rails-i18n rails-i18n
rails_admin rails_admin

View File

@ -5,7 +5,7 @@ class Ajax::ModerationController < ApplicationController
@success = false @success = false
render partial: "ajax/shared/status" render partial: "ajax/shared/status"
end end
def vote def vote
params.require :id params.require :id
params.require :upvote params.require :upvote
@ -174,7 +174,20 @@ class Ajax::ModerationController < ApplicationController
end end
@checked = status @checked = status
target_user.send("#{params[:type]}=", status) case params[:type].downcase
when 'blogger'
target_user.blogger = status
when 'contributor'
target_user.contributor = status
when 'translator'
target_user.translator = status
when 'supporter'
target_user.supporter = status
when 'moderator'
target_user.moderator = status
when 'admin'
target_user.admin = status
end
target_user.save! target_user.save!
@message = I18n.t('messages.moderation.privilege.checked', privilege: params[:type]) @message = I18n.t('messages.moderation.privilege.checked', privilege: params[:type])

View File

@ -5,7 +5,7 @@ class Ajax::ReportController < ApplicationController
@success = false @success = false
render partial: "ajax/shared/status" render partial: "ajax/shared/status"
end end
def create def create
params.require :id params.require :id
params.require :type params.require :type
@ -23,11 +23,20 @@ class Ajax::ReportController < ApplicationController
return return
end end
object = if params[:type] == 'user' obj = params[:type].strip.capitalize
User.find_by_screen_name params[:id]
else object = case params[:type].strip.capitalize
params[:type].strip.capitalize.constantize.find params[:id] when 'User'
end User.find_by_screen_name params[:id]
when 'Question'
Question
when 'Answer'
Answer
when 'Comment'
Comment
else
Answer
end
if object.nil? if object.nil?
@message = I18n.t('messages.report.create.not_found', parameter: params[:type]) @message = I18n.t('messages.report.create.not_found', parameter: params[:type])