From ca55f99f53d0d7defed71dc52df1518e649b8a81 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E9=82=B1=E5=8D=9A=E4=BA=9E?= <naruto0426@gmail.com>
Date: Thu, 18 Nov 2021 14:32:20 +0800
Subject: [PATCH] fix vulnerability

---
 app/controllers/asks_controller.rb | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/app/controllers/asks_controller.rb b/app/controllers/asks_controller.rb
index e6c6e60..5c5e140 100644
--- a/app/controllers/asks_controller.rb
+++ b/app/controllers/asks_controller.rb
@@ -160,6 +160,9 @@ class AsksController < ActionController::Base
   end
 
   def create
+    if !params[:referer_url].blank? && !params[:referer_url].to_s.start_with?("/")
+      render :file => "#{Rails.root}/app/views/errors/403.html", :layout => false, :status => 403 and return
+    end
     @ask_question = AskQuestion.new()
     temp_params = create_params
     all_to_save = []