deblan/journalduhacker
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

sprinkle some to_s paranoia on params where it matters

Browse source
This commit is contained in:
joshua stein 2013-02-08 10:39:51 -06:00
parent 305789381c
commit 75570194ac
7 changed files with 17 additions and 16 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
app/controllers/application_controller.rb
View file

@ -7,7 +7,7 @@ class ApplicationController < ActionController::Base
def authenticate_user def authenticate_user
if session[:u] if session[:u]
@user = User.find_by_session_token(session[:u]) @user = User.find_by_session_token(session[:u].to_s)
end end
true true

2
app/controllers/comments_controller.rb
View file

@ -17,7 +17,7 @@ class CommentsController < ApplicationController
comment.story_id = story.id comment.story_id = story.id
comment.user_id = @user.id comment.user_id = @user.id
if params[:parent_comment_short_id] if params[:parent_comment_short_id].present?
if pc = Comment.find_by_story_id_and_short_id(story.id, if pc = Comment.find_by_story_id_and_short_id(story.id,
params[:parent_comment_short_id]) params[:parent_comment_short_id])
comment.parent_comment_id = pc.id comment.parent_comment_id = pc.id

13
app/controllers/login_controller.rb
View file

@ -15,8 +15,9 @@ class LoginController < ApplicationController
end end
def login def login
if (user = User.where("email = ? OR username = ?", params[:email], if (user = User.where("email = ? OR username = ?", params[:email].to_s,
params[:email]).first) && user.try(:authenticate, params[:password]) params[:email].to_s).first) &&
user.try(:authenticate, params[:password].to_s)
session[:u] = user.session_token session[:u] = user.session_token
return redirect_to "/" return redirect_to "/"
end end
@ -31,8 +32,8 @@ class LoginController < ApplicationController
end end
def reset_password def reset_password
@found_user = User.where("email = ? OR username = ?", params[:email], @found_user = User.where("email = ? OR username = ?", params[:email].to_s,
params[:email]).first params[:email].to_s).first
if !@found_user if !@found_user
flash.now[:error] = "Invalid e-mail address or username." flash.now[:error] = "Invalid e-mail address or username."
@ -50,13 +51,13 @@ class LoginController < ApplicationController
@title = "Reset Password" @title = "Reset Password"
if params[:token].blank? || if params[:token].blank? ||
!(@reset_user = User.find_by_password_reset_token(params[:token])) !(@reset_user = User.find_by_password_reset_token(params[:token].to_s))
flash[:error] = "Invalid reset token. It may have already been " << flash[:error] = "Invalid reset token. It may have already been " <<
"used or you may have copied it incorrectly." "used or you may have copied it incorrectly."
return redirect_to forgot_password_url return redirect_to forgot_password_url
end end
if !params[:password].blank? if params[:password].present?
@reset_user.password = params[:password] @reset_user.password = params[:password]
@reset_user.password_confirmation = params[:password_confirmation] @reset_user.password_confirmation = params[:password_confirmation]
@reset_user.password_reset_token = nil @reset_user.password_reset_token = nil

2
app/controllers/messages_controller.rb
View file

@ -96,7 +96,7 @@ class MessagesController < ApplicationController
private private
def find_message def find_message
if @message = Message.find_by_short_id(params[:message_id ] || params[:id]) if @message = Message.find_by_short_id(params[:message_id] || params[:id])
if (@message.author_user_id == @user.id || if (@message.author_user_id == @user.id ||
@message.recipient_user_id == @user.id) @message.recipient_user_id == @user.id)
return true return true

6
app/controllers/search_controller.rb
View file

@ -5,12 +5,12 @@ class SearchController < ApplicationController
@search = Search.new @search = Search.new
if params[:q].present? if params[:q].to_s.present?
@search.q = params[:q] @search.q = params[:q].to_s
@search.what = params[:what] @search.what = params[:what]
@search.order = params[:order] @search.order = params[:order]
if params[:page] if params[:page].present?
@search.page = params[:page].to_i @search.page = params[:page].to_i
end end

4
app/controllers/signup_controller.rb
View file

@ -14,7 +14,7 @@ class SignupController < ApplicationController
return redirect_to "/" return redirect_to "/"
end end
if !(@invitation = Invitation.find_by_code(params[:invitation_code])) if !(@invitation = Invitation.find_by_code(params[:invitation_code].to_s))
flash[:error] = "Invalid or expired invitation" flash[:error] = "Invalid or expired invitation"
return redirect_to "/signup" return redirect_to "/signup"
end end
@ -28,7 +28,7 @@ class SignupController < ApplicationController
end end
def signup def signup
if !(@invitation = Invitation.find_by_code(params[:invitation_code])) if !(@invitation = Invitation.find_by_code(params[:invitation_code].to_s))
flash[:error] = "Invalid or expired invitation." flash[:error] = "Invalid or expired invitation."
return redirect_to "/signup" return redirect_to "/signup"
end end

4
app/controllers/stories_controller.rb
View file

@ -83,10 +83,10 @@ class StoriesController < ApplicationController
@story = Story.new @story = Story.new
if !params[:url].blank? if params[:url].present?
@story.url = params[:url] @story.url = params[:url]
if !params[:title].blank? if params[:title].present?
@story.title = params[:title] @story.title = params[:title]
end end
end end