Fix vulnerable.

2022-10-24 16:23:41 +08:00 · 2022-10-24 16:23:41 +08:00 · cb8acf3f8c
parent d54176b635
commit cb8acf3f8c
2 changed files with 10 additions and 5 deletions
--- a/app/controllers/admin/books_controller.rb
+++ b/app/controllers/admin/books_controller.rb
@ -107,7 +107,7 @@ class Admin::BooksController < OrbitMemberController

  def new
    @book = Book.new
-    @member = Array(MemberProfile.find_by(:uid=>params['uid'])) rescue nil
+    @member = Array(MemberProfile.find_by(:uid=>params['uid'].to_s)) rescue nil
    if params[:desktop]
      render :layout => false
    end
@ -213,7 +213,7 @@ class Admin::BooksController < OrbitMemberController
  end

  def frontend_setting
-    @member = MemberProfile.find_by(:uid=>params['uid']) rescue nil
+    @member = MemberProfile.find_by(:uid=>params['uid'].to_s) rescue nil
    @intro = BookIntro.find_by(:member_profile_id=>@member.id) rescue nil
    @intro = @intro.nil? ? BookIntro.new({:member_profile_id=>@member.id}) : @intro
  end
--- a/app/controllers/personal_books_controller.rb
+++ b/app/controllers/personal_books_controller.rb
@ -51,7 +51,11 @@ class PersonalBooksController < ApplicationController
      when 'note'
        books_show = books_temp.select { |value| search_all_words(Nokogiri::HTML(value.note).text, params[:keywords]) }
      else
+        if fields_to_show.include?(params[:selectbox])
          books_show = books_temp.select { |value| search_all_words(value.send(params[:selectbox]).to_s, params[:keywords]) }
+        else
+          books_show = books_temp
+        end
      end
      page_to_show = params[:page_no].nil? ? 1 : params[:page_no].to_i
      books = books_show[(page_to_show - 1) * page_data_count...page_to_show * page_data_count]
@ -111,7 +115,8 @@ class PersonalBooksController < ApplicationController
    choice = choice.map { |value| value.inject :merge }
    select_text = t('personal_book.search_class')
    search_text = t('personal_book.word_to_search')
-    csrf_value = (0...46).map { ('a'..'z').to_a[rand(26)] }.join
+    @_request = OrbitHelper.request
+    csrf_value = form_authenticity_token
    {
      'book_list' => book_list,
      'extras' => { 'widget-title' => t('module_name.book'),
@ -128,7 +133,7 @@ class PersonalBooksController < ApplicationController

  def show
    params = OrbitHelper.params
-    plugin = Book.where(is_hidden: false).find_by(uid: params[:uid])
+    plugin = Book.where(is_hidden: false).find_by(uid: params[:uid].to_s)
    fields_to_show = %w[
      year
      book_title