From d445e59a98aa3dc46954f46ea9bb26785b68a2bb Mon Sep 17 00:00:00 2001
From: Ken Johnson <cktricky@Kens-MacBook-Pro.local>
Date: Thu, 6 Jun 2013 16:43:58 -0400
Subject: [PATCH] this fixes issue #20, seriously, no clue how I missed the
 missing constantize code

---
 app/controllers/benefit_forms_controller.rb   | 20 ++++++++----
 .../_benefit_forms_constantize.html.erb       | 31 +++++++++++--------
 2 files changed, 32 insertions(+), 19 deletions(-)

diff --git a/app/controllers/benefit_forms_controller.rb b/app/controllers/benefit_forms_controller.rb
index 5684bcf..b46a17a 100644
--- a/app/controllers/benefit_forms_controller.rb
+++ b/app/controllers/benefit_forms_controller.rb
@@ -2,31 +2,39 @@ class BenefitFormsController < ApplicationController
   
   def index
   end
-  
+
+
   def download
    begin  
-     file = Rails.root.join('public', 'docs', params[:name])
+     path = Rails.root.join('public', 'docs', params[:name])
+     file = params[:type].constantize.new(path)
      send_file file, :disposition => 'attachment'
    rescue
      redirect_to user_benefit_forms_path(:user_id => current_user.user_id)
    end
   end
+
   
-=begin
+=begin  
     # More secure version
     def download
      file_assoc = {"1" => "Health_n_Stuff.pdf", "2" => "Dental_n_Stuff.pdf"}
      begin  
        if file_assoc.has_key?(params[:name].to_s)
-          file = Rails.root.join('public', 'docs', file_assoc[params[:name].to_s])
-          send_file file, :disposition => 'attachment'
+          path = Rails.root.join('public', 'docs', file_assoc[params[:name].to_s])
+          if params[:type] == "File"
+            file = params[:type].constantize.new(path)  
+            send_file file, :disposition => 'attachment'
+          end 
        else 
          file =  Rails.root.join('public', 'docs', "Dental_n_Stuff.pdf")
+         send_file file, :disposition => 'attachment'
        end
      rescue
        redirect_to user_benefit_forms_path(:user_id => current_user.user_id)
      end
     end
-=end  
+=end      
+
   
 end
diff --git a/app/views/layouts/tutorial/constantize/_benefit_forms_constantize.html.erb b/app/views/layouts/tutorial/constantize/_benefit_forms_constantize.html.erb
index 41a59f0..18d6c8d 100644
--- a/app/views/layouts/tutorial/constantize/_benefit_forms_constantize.html.erb
+++ b/app/views/layouts/tutorial/constantize/_benefit_forms_constantize.html.erb
@@ -37,16 +37,17 @@
 			  </p>
 			  <pre class="ruby">
 				  def download
-				   begin  
-				     file = Rails.root.join('public', 'docs', params[:name])
-				     send_file file, :disposition => 'attachment'
-				   rescue
-				     redirect_to user_benefit_forms_path(:user_id => current_user.user_id)
-				   end
-				  end
+			   		begin  
+			   		  <span style="background-color:yellow">path = Rails.root.join('public', 'docs', params[:name])</span>
+			   		  <span style="background-color:yellow">file = params[:type].constantize.new(path)</span>
+			   		  send_file file, :disposition => 'attachment'
+			   		rescue
+			   		  redirect_to user_benefit_forms_path(:user_id => current_user.user_id)
+			   		end
+			  	  end
 			  </pre>
 			  <p class="desc">
-				The location of the file to render is dynamically generated based on user input (params[:name]). This means the user controls the location of the file to be retrieved.
+				The location of the file to render is dynamically generated based on user input (params[:name]). This means the user controls the location of the file to be retrieved. Additionally, the params[:type] (File) is not validated to make sure it matches up with expected values.
 			  </p>	 	
             </div>
           </div>
@@ -85,15 +86,19 @@
 				 In this instance and as always, there are multiple ways to fix this. A simple method to secure this function by validating user input is as follows:
 			   </p>
 			    <pre class="ruby">
-					 # More secure version
+					# More secure version
 				    def download
-				     file_assoc = {"1" => "Health_n_Stuff.pdf", "2" => "Dental_n_Stuff.pdf"}
+				     <span style="background-color:yellow">file_assoc = {"1" => "Health_n_Stuff.pdf", "2" => "Dental_n_Stuff.pdf"}</span>
 				     begin  
-				       if file_assoc.has_key?(params[:name].to_s)
-				          file = Rails.root.join('public', 'docs', file_assoc[params[:name].to_s])
-				          send_file file, :disposition => 'attachment'
+				       <span style="background-color:yellow">if file_assoc.has_key?(params[:name].to_s)</span>
+				          path = Rails.root.join('public', 'docs', file_assoc[params[:name].to_s])
+				          <span style="background-color:yellow">if params[:type] == "File"</span>
+				            file = params[:type].constantize.new(path)  
+				            send_file file, :disposition => 'attachment'
+				          end 
 				       else 
 				         file =  Rails.root.join('public', 'docs', "Dental_n_Stuff.pdf")
+				         send_file file, :disposition => 'attachment'
 				       end
 				     rescue
 				       redirect_to user_benefit_forms_path(:user_id => current_user.user_id)