added a very dangerous, very serious vulnerability (constantize

2013-06-02 22:42:29 -04:00
parent caecb88e30
commit e97afb9bb4
9 changed files with 100 additions and 3 deletions
@@ -0,0 +1,17 @@
+class BenefitFormsController < ApplicationController
+  
+  def index
+  end
+  
+  def download
+   begin  
+     #file = params[:type].constantize.new(params[:name])
+     file = Rails.root.join('public', 'docs', params[:name])
+     #render :text => File.read(file) 
+     send_file file, :disposition => 'attachment'
+   rescue
+     redirect_to user_benefit_forms_path(:user_id => current_user.user_id)
+   end
+  end
+  
+end