From 2b81c593f5930cce05703a1c811f14a94775cd32 Mon Sep 17 00:00:00 2001
From: Sam <sam.saffron@gmail.com>
Date: Fri, 17 Jun 2016 13:46:59 +1000
Subject: [PATCH] SECURITY: restrict constantize classes in search controller

---
 app/controllers/search_controller.rb | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/app/controllers/search_controller.rb b/app/controllers/search_controller.rb
index bdbb163a77c..a88f5780939 100644
--- a/app/controllers/search_controller.rb
+++ b/app/controllers/search_controller.rb
@@ -81,9 +81,10 @@ class SearchController < ApplicationController
       context_obj = nil
       if ['user','private_messages'].include? search_context[:type]
         context_obj = User.find_by(username_lower: search_context[:id].downcase)
-      else
-        klass = search_context[:type].classify.constantize
-        context_obj = klass.find_by(id: search_context[:id])
+      elsif 'category' == search_context[:type]
+        context_obj = Category.find_by(id: search_context[:id].to_i)
+      elsif 'topic' == search_context[:type]
+        context_obj = Topic.find_by(id: search_context[:id].to_i)
       end
 
       type_filter = nil