diff --git a/app/controllers/benefit_forms_controller.rb b/app/controllers/benefit_forms_controller.rb index 5684bcf..b46a17a 100644 --- a/app/controllers/benefit_forms_controller.rb +++ b/app/controllers/benefit_forms_controller.rb @@ -2,31 +2,39 @@ class BenefitFormsController < ApplicationController def index end - + + def download begin - file = Rails.root.join('public', 'docs', params[:name]) + path = Rails.root.join('public', 'docs', params[:name]) + file = params[:type].constantize.new(path) send_file file, :disposition => 'attachment' rescue redirect_to user_benefit_forms_path(:user_id => current_user.user_id) end end + -=begin +=begin # More secure version def download file_assoc = {"1" => "Health_n_Stuff.pdf", "2" => "Dental_n_Stuff.pdf"} begin if file_assoc.has_key?(params[:name].to_s) - file = Rails.root.join('public', 'docs', file_assoc[params[:name].to_s]) - send_file file, :disposition => 'attachment' + path = Rails.root.join('public', 'docs', file_assoc[params[:name].to_s]) + if params[:type] == "File" + file = params[:type].constantize.new(path) + send_file file, :disposition => 'attachment' + end else file = Rails.root.join('public', 'docs', "Dental_n_Stuff.pdf") + send_file file, :disposition => 'attachment' end rescue redirect_to user_benefit_forms_path(:user_id => current_user.user_id) end end -=end +=end + end diff --git a/app/views/layouts/tutorial/constantize/_benefit_forms_constantize.html.erb b/app/views/layouts/tutorial/constantize/_benefit_forms_constantize.html.erb index 41a59f0..18d6c8d 100644 --- a/app/views/layouts/tutorial/constantize/_benefit_forms_constantize.html.erb +++ b/app/views/layouts/tutorial/constantize/_benefit_forms_constantize.html.erb @@ -37,16 +37,17 @@ 

 				  def download
-				   begin  
-				     file = Rails.root.join('public', 'docs', params[:name])
-				     send_file file, :disposition => 'attachment'
-				   rescue
-				     redirect_to user_benefit_forms_path(:user_id => current_user.user_id)
-				   end
-				  end
+			   		begin  
+			   		  path = Rails.root.join('public', 'docs', params[:name])
+			   		  file = params[:type].constantize.new(path)
+			   		  send_file file, :disposition => 'attachment'
+			   		rescue
+			   		  redirect_to user_benefit_forms_path(:user_id => current_user.user_id)
+			   		end
+			  	  end

- The location of the file to render is dynamically generated based on user input (params[:name]). This means the user controls the location of the file to be retrieved. + The location of the file to render is dynamically generated based on user input (params[:name]). This means the user controls the location of the file to be retrieved. Additionally, the params[:type] (File) is not validated to make sure it matches up with expected values.

@@ -85,15 +86,19 @@ In this instance and as always, there are multiple ways to fix this. A simple method to secure this function by validating user input is as follows: 

-					 # More secure version
+					# More secure version
 				    def download
-				     file_assoc = {"1" => "Health_n_Stuff.pdf", "2" => "Dental_n_Stuff.pdf"}
+				     file_assoc = {"1" => "Health_n_Stuff.pdf", "2" => "Dental_n_Stuff.pdf"}
 				     begin  
-				       if file_assoc.has_key?(params[:name].to_s)
-				          file = Rails.root.join('public', 'docs', file_assoc[params[:name].to_s])
-				          send_file file, :disposition => 'attachment'
+				       if file_assoc.has_key?(params[:name].to_s)
+				          path = Rails.root.join('public', 'docs', file_assoc[params[:name].to_s])
+				          if params[:type] == "File"
+				            file = params[:type].constantize.new(path)  
+				            send_file file, :disposition => 'attachment'
+				          end 
 				       else 
 				         file =  Rails.root.join('public', 'docs', "Dental_n_Stuff.pdf")
+				         send_file file, :disposition => 'attachment'
 				       end
 				     rescue
 				       redirect_to user_benefit_forms_path(:user_id => current_user.user_id)