SECURITY: restrict constantize classes in search controller

2024-12-15 16:23:50 +08:00 · 2016-06-17 13:46:59 +10:00 · 2016-06-17 13:46:59 +10:00 · 2b81c593f5
commit 2b81c593f5
parent 1e241dedad
1 changed files with 4 additions and 3 deletions
--- a/app/controllers/search_controller.rb
+++ b/app/controllers/search_controller.rb
@ -81,9 +81,10 @@ class SearchController < ApplicationController
      context_obj = nil
      if ['user','private_messages'].include? search_context[:type]
        context_obj = User.find_by(username_lower: search_context[:id].downcase)
-      else
-        klass = search_context[:type].classify.constantize
-        context_obj = klass.find_by(id: search_context[:id])
+      elsif 'category' == search_context[:type]
+        context_obj = Category.find_by(id: search_context[:id].to_i)
+      elsif 'topic' == search_context[:type]
+        context_obj = Topic.find_by(id: search_context[:id].to_i)
      end

      type_filter = nil