From 75570194acc9280e52e2a69cab84a8bb2b2aaaa8 Mon Sep 17 00:00:00 2001 From: joshua stein Date: Fri, 8 Feb 2013 10:39:51 -0600 Subject: [PATCH] sprinkle some to_s paranoia on params where it matters --- app/controllers/application_controller.rb | 2 +- app/controllers/comments_controller.rb | 2 +- app/controllers/login_controller.rb | 13 +++++++------ app/controllers/messages_controller.rb | 2 +- app/controllers/search_controller.rb | 6 +++--- app/controllers/signup_controller.rb | 4 ++-- app/controllers/stories_controller.rb | 4 ++-- 7 files changed, 17 insertions(+), 16 deletions(-) diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 3c1c843..d91f3cb 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -7,7 +7,7 @@ class ApplicationController < ActionController::Base def authenticate_user if session[:u] - @user = User.find_by_session_token(session[:u]) + @user = User.find_by_session_token(session[:u].to_s) end true diff --git a/app/controllers/comments_controller.rb b/app/controllers/comments_controller.rb index 8641b1b..eae3275 100644 --- a/app/controllers/comments_controller.rb +++ b/app/controllers/comments_controller.rb @@ -17,7 +17,7 @@ class CommentsController < ApplicationController comment.story_id = story.id comment.user_id = @user.id - if params[:parent_comment_short_id] + if params[:parent_comment_short_id].present? if pc = Comment.find_by_story_id_and_short_id(story.id, params[:parent_comment_short_id]) comment.parent_comment_id = pc.id diff --git a/app/controllers/login_controller.rb b/app/controllers/login_controller.rb index d617428..2939621 100644 --- a/app/controllers/login_controller.rb +++ b/app/controllers/login_controller.rb @@ -15,8 +15,9 @@ class LoginController < ApplicationController end def login - if (user = User.where("email = ? OR username = ?", params[:email], - params[:email]).first) && user.try(:authenticate, params[:password]) + if (user = User.where("email = ? OR username = ?", params[:email].to_s, + params[:email].to_s).first) && + user.try(:authenticate, params[:password].to_s) session[:u] = user.session_token return redirect_to "/" end @@ -31,8 +32,8 @@ class LoginController < ApplicationController end def reset_password - @found_user = User.where("email = ? OR username = ?", params[:email], - params[:email]).first + @found_user = User.where("email = ? OR username = ?", params[:email].to_s, + params[:email].to_s).first if !@found_user flash.now[:error] = "Invalid e-mail address or username." @@ -50,13 +51,13 @@ class LoginController < ApplicationController @title = "Reset Password" if params[:token].blank? || - !(@reset_user = User.find_by_password_reset_token(params[:token])) + !(@reset_user = User.find_by_password_reset_token(params[:token].to_s)) flash[:error] = "Invalid reset token. It may have already been " << "used or you may have copied it incorrectly." return redirect_to forgot_password_url end - if !params[:password].blank? + if params[:password].present? @reset_user.password = params[:password] @reset_user.password_confirmation = params[:password_confirmation] @reset_user.password_reset_token = nil diff --git a/app/controllers/messages_controller.rb b/app/controllers/messages_controller.rb index 9acfc62..9401715 100644 --- a/app/controllers/messages_controller.rb +++ b/app/controllers/messages_controller.rb @@ -96,7 +96,7 @@ class MessagesController < ApplicationController private def find_message - if @message = Message.find_by_short_id(params[:message_id ] || params[:id]) + if @message = Message.find_by_short_id(params[:message_id] || params[:id]) if (@message.author_user_id == @user.id || @message.recipient_user_id == @user.id) return true diff --git a/app/controllers/search_controller.rb b/app/controllers/search_controller.rb index 7b9bb16..94d48fd 100644 --- a/app/controllers/search_controller.rb +++ b/app/controllers/search_controller.rb @@ -5,12 +5,12 @@ class SearchController < ApplicationController @search = Search.new - if params[:q].present? - @search.q = params[:q] + if params[:q].to_s.present? + @search.q = params[:q].to_s @search.what = params[:what] @search.order = params[:order] - if params[:page] + if params[:page].present? @search.page = params[:page].to_i end diff --git a/app/controllers/signup_controller.rb b/app/controllers/signup_controller.rb index 7e45fa3..f14dba3 100644 --- a/app/controllers/signup_controller.rb +++ b/app/controllers/signup_controller.rb @@ -14,7 +14,7 @@ class SignupController < ApplicationController return redirect_to "/" end - if !(@invitation = Invitation.find_by_code(params[:invitation_code])) + if !(@invitation = Invitation.find_by_code(params[:invitation_code].to_s)) flash[:error] = "Invalid or expired invitation" return redirect_to "/signup" end @@ -28,7 +28,7 @@ class SignupController < ApplicationController end def signup - if !(@invitation = Invitation.find_by_code(params[:invitation_code])) + if !(@invitation = Invitation.find_by_code(params[:invitation_code].to_s)) flash[:error] = "Invalid or expired invitation." return redirect_to "/signup" end diff --git a/app/controllers/stories_controller.rb b/app/controllers/stories_controller.rb index 7f8237c..f8662a0 100644 --- a/app/controllers/stories_controller.rb +++ b/app/controllers/stories_controller.rb @@ -83,10 +83,10 @@ class StoriesController < ApplicationController @story = Story.new - if !params[:url].blank? + if params[:url].present? @story.url = params[:url] - if !params[:title].blank? + if params[:title].present? @story.title = params[:title] end end