working command injection in fileupload, closes issue #23

.gitignore

@@ -17,3 +17,6 @@
 
 # Ignore Mac folder settings
 .DS_Store
+
+# Ignore data directory
+/public/data

app/controllers/benefit_forms_controller.rb

@@ -16,7 +16,14 @@ class BenefitFormsController < ApplicationController
   end
   
   def upload
-    
+    file = params[:benefits][:upload]
+    if file
+      flash[:success] = "File Successfully Uploaded!"
+      Benefits.save(file, params[:benefits][:backup])
+    else
+      flash[:error] = "Something went wrong"
+    end   
+    redirect_to user_benefit_forms_path(:user_id => current_user.user_id)
   end
 
   

app/models/benefits.rb

@@ -1,7 +1,17 @@
 class Benefits < ActiveRecord::Base
+ attr_accessor :backup
  
- def self.save(file)
-   
+ def self.save(file, backup=false)
+   data_path = Rails.root.join("public", "data")
+   full_file_name = "#{data_path}/#{file.original_filename}"
+   f = File.open(full_file_name, "w+")
+   f.write file.read
+   f.close
+   make_backup(file, data_path, full_file_name) if backup == "true"
+ end
+ 
+ def self.make_backup(file, data_path, full_file_name)
+   system("cp #{full_file_name} #{data_path}/bak#{Time.now.to_i}_#{file.original_filename}")
  end
  
 end

app/views/benefit_forms/index.html.erb

@@ -69,17 +69,18 @@
 					    <!-- The fileupload-buttonbar contains buttons to add/delete files and start/cancel the upload -->
 					    <div>
 					      <div>
+						 	<%= hidden_field "benefits", "backup", :value => false %>
 					        <!-- The fileinput-button span is used to style the file input field as button -->
 					        <span class="btn btn-success fileinput-button">
 					          <i class="icon-plus icon-white"></i>
-					          <span>Add files...</span>
-					          <%= f.file_field :upload %>
+					          <span>Add file</span>
+					          <%= f.file_field :upload  %>
 					        </span>
 					        <button id="start_upload" type="submit" class="btn btn-primary start">
 					          <i class="icon-upload icon-white"></i>
 					          <span><%= t('fileupload.start_upload') %></span>
 					        </button>
-					        <input type="checkbox" class="toggle">
+							<br/><br/><span class="filename">Nothing selected</span>
 					      </div>
 					      <div class="span5">
 					        <!-- The global progress bar -->
@@ -111,7 +112,14 @@
 
 <script type="text/javascript">
    
-
+	$(function() {
+	     $("#benefits_upload").change(function (){
+	      	 var fileName = $(this).val();
+			 $(".filename").html(fileName);
+	     });
+		
+	  });
+	
 	function makeActive(){
 		$('li[id="benefit_forms"]').addClass('active');
 	};
@@ -119,5 +127,6 @@
  	$(document).ready(
  	   makeActive
  	);
+
 	
 </script>