Created
August 31, 2014 12:15
-
-
Save coalwater/2bbd036e9e990187a742 to your computer and use it in GitHub Desktop.
Fix security vulnerability in letsrate rater_controller
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
From 49344cfeb2f57347a09f0b5764c25792a2768d71 Mon Sep 17 00:00:00 2001 | |
From: Mohammad AbuShady <coalwater5@gmail.com> | |
Date: Sun, 31 Aug 2014 14:34:58 +0300 | |
Subject: [PATCH] Fix security vulnerability in rater_controller | |
--- | |
app/controllers/rater_controller.rb | 21 ++++++++------------- | |
1 file changed, 8 insertions(+), 13 deletions(-) | |
diff --git a/app/controllers/rater_controller.rb b/app/controllers/rater_controller.rb | |
index dc84c4b..bbc560c 100644 | |
--- a/app/controllers/rater_controller.rb | |
+++ b/app/controllers/rater_controller.rb | |
@@ -1,19 +1,14 @@ | |
-class RaterController < ApplicationController | |
- | |
- def create | |
- if current_user.present? | |
- obj = eval "#{params[:klass]}.find(#{params[:id]})" | |
- if params[:dimension].present? | |
- obj.rate params[:score].to_i, current_user.id, "#{params[:dimension]}" | |
- else | |
- obj.rate params[:score].to_i, current_user.id | |
- end | |
- | |
+class RaterController < ApplicationController | |
+ | |
+ def create | |
+ if user_signed_in? | |
+ obj = params[:klass].classify.constantize.find(params[:id]) | |
+ obj.rate params[:score].to_i, current_user.id, params[:dimension] | |
+ | |
render :json => true | |
else | |
render :json => false | |
end | |
end | |
- | |
-end | |
\ No newline at end of file | |
+end | |
-- | |
1.9.1 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment