From 86ba280d3273716fb67d94c60810a077aa7aafcf Mon Sep 17 00:00:00 2001
From: Jesus Federico <jesus@123it.ca>
Date: Thu, 7 Apr 2022 13:43:59 -0400
Subject: [PATCH] CVE-2015-9284: follow-up for restoring single authentication
 method and LDAP (#3376)

* CVE-2015-9284: follow-up for resotoring single authentication method and ldap

* CVE-2015-9284: follow-up for resotoring ldap
---
 Gemfile                                | 1 +
 Gemfile.lock                           | 2 ++
 app/controllers/sessions_controller.rb | 2 +-
 config/routes.rb                       | 2 +-
 4 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/Gemfile b/Gemfile
index e5889dd2..9c929bae 100644
--- a/Gemfile
+++ b/Gemfile
@@ -40,6 +40,7 @@ gem 'random_password', '~> 0.1.1'
 gem "recaptcha", '~> 5.7.0'
 gem 'redcarpet', '~> 3.5.1'
 gem 'remote_syslog_logger', '~> 1.0.4'
+gem 'repost', '~> 0.3.8'
 gem 'rubocop', '~> 1.10.0'
 gem 'sassc-rails', '~> 2.1.2'
 gem 'sprockets', '~> 3.7.2'
diff --git a/Gemfile.lock b/Gemfile.lock
index 6ef7f95e..864f85cc 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -341,6 +341,7 @@ GEM
     regexp_parser (2.1.1)
     remote_syslog_logger (1.0.4)
       syslog_protocol
+    repost (0.3.8)
     representable (3.0.4)
       declarative (< 0.1.0)
       declarative-option (< 0.2.0)
@@ -508,6 +509,7 @@ DEPENDENCIES
   redcarpet (~> 3.5.1)
   redis (~> 4.2.5)
   remote_syslog_logger (~> 1.0.4)
+  repost (~> 0.3.8)
   rspec-rails (~> 3.7)
   rubocop (~> 1.10.0)
   sassc-rails (~> 2.1.2)
diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb
index 764ded94..65d9cb28 100644
--- a/app/controllers/sessions_controller.rb
+++ b/app/controllers/sessions_controller.rb
@@ -39,7 +39,7 @@ class SessionsController < ApplicationController
         "#{Rails.configuration.relative_url_root}/auth/#{@providers.first}"
       end
 
-      redirect_to provider_path
+      redirect_post(provider_path, options: { authenticity_token: :auto })
     end
   end
 
diff --git a/config/routes.rb b/config/routes.rb
index dba1a55a..7a2801d2 100644
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -28,7 +28,7 @@ Rails.application.routes.draw do
   get '/signin', to: 'sessions#signin', as: :signin
   get '/signup', to: 'sessions#new', as: :signup
   post '/signup', to: 'users#create', as: :create_user
-  get '/ldap_signin', to: 'sessions#ldap_signin', as: :ldap_signin
+  match '/ldap_signin', to: 'sessions#ldap_signin', as: :ldap_signin, via: [:get, :post]
 
   # Redirect to terms page
   match '/terms', to: 'users#terms', via: [:get, :post]
-- 
GitLab