Skip to content
Snippets Groups Projects
Unverified Commit 6ba1faeb authored by Jesus Federico's avatar Jesus Federico Committed by GitHub
Browse files

CVE-2015-9284: potential issue with omniauth accepting get requests (#3371)

parent b6c5e502
No related branches found
No related tags found
No related merge requests found
......@@ -30,6 +30,7 @@ gem 'omniauth-bn-launcher', '~> 0.1.3'
gem 'omniauth-bn-office365', '~> 0.1.1'
gem 'omniauth-google-oauth2', '~> 0.7.0'
gem 'omniauth_openid_connect', '~> 0.4.0'
gem 'omniauth-rails_csrf_protection', '~> 0.1.2'
gem 'omniauth-twitter', '~> 1.4.0'
gem 'pagy', '~> 3.11.0'
gem 'pluck_to_hash', '~> 1.0.2'
......
......@@ -257,6 +257,9 @@ GEM
omniauth-oauth2 (1.5.0)
oauth2 (~> 1.1)
omniauth (~> 1.2)
omniauth-rails_csrf_protection (0.1.2)
actionpack (>= 4.2)
omniauth (>= 1.3.1)
omniauth-twitter (1.4.0)
omniauth-oauth (~> 1.1)
rack
......@@ -491,6 +494,7 @@ DEPENDENCIES
omniauth-bn-launcher (~> 0.1.3)
omniauth-bn-office365 (~> 0.1.1)
omniauth-google-oauth2 (~> 0.7.0)
omniauth-rails_csrf_protection (~> 0.1.2)
omniauth-twitter (~> 1.4.0)
omniauth_openid_connect (~> 0.4.0)
pagy (~> 3.11.0)
......
......@@ -23,7 +23,7 @@
<div class="card-body background">
<% unless iconset_providers.length.zero? %>
<% iconset_providers.each do |provider| %>
<%= link_to omniauth_login_url(provider), class: "customBtn-#{provider} oauth-signin" do %>
<%= link_to omniauth_login_url(provider), class: "customBtn-#{provider} oauth-signin", method: :post do %>
<span class="customBtn-icon">
<img class="customBtn-image"></img>
</span>
......
......@@ -23,7 +23,7 @@
<div class="card-body background">
<% unless iconset_providers.length.zero? %>
<% iconset_providers.each do |provider| %>
<%= link_to omniauth_login_url(provider), class: "customBtn-#{provider} oauth-signin" do %>
<%= link_to omniauth_login_url(provider), class: "customBtn-#{provider} oauth-signin", method: :post do %>
<span class="customBtn-icon ">
<img class="customBtn-image"></img>
</span>
......
......@@ -88,7 +88,7 @@
<% if allow_greenlight_accounts %>
<%= link_to t("login"), signin_path, :class => "btn btn-outline-primary mx-2 sign-in-button" %>
<% elsif Rails.configuration.loadbalanced_configuration %>
<%= link_to t("login"), omniauth_login_url(:bn_launcher), :class => "btn btn-outline-primary mx-2 sign-in-button" %>
<%= link_to t("login"), omniauth_login_url(:bn_launcher), :class => "btn btn-outline-primary mx-2 sign-in-button", method: :post %>
<% else %>
<%= link_to t("login"), signin_path, :class => "btn btn-outline-primary mx-2 sign-in-button" %>
<% end %>
......
......@@ -87,3 +87,6 @@ end
OmniAuth.config.on_failure = proc { |env|
OmniAuth::FailureEndpoint.new(env).redirect_to_failure
}
# Include get if enabled. This value is by default set to false, which means only post requests are allowed.
OmniAuth.config.allowed_request_methods = [:post, :get] if Greenlight::Application.parse_bool(ENV['ENABLE_OMNIAUTH_GET'])
......@@ -360,3 +360,7 @@ DEFAULT_REGISTRATION=open
# Max avatar image size (bytes)
# Default: 100000
MAX_AVATAR_SIZE=100000
# Due CCVE-2015-9284, this setting needs to be enabled for omniauth to respond GET requests.
# ENABLE_OMNIAUTH_GET=true|<false>
ENABLE_OMNIAUTH_GET=false
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment