From 86ba280d3273716fb67d94c60810a077aa7aafcf Mon Sep 17 00:00:00 2001 From: Jesus Federico <jesus@123it.ca> Date: Thu, 7 Apr 2022 13:43:59 -0400 Subject: [PATCH] CVE-2015-9284: follow-up for restoring single authentication method and LDAP (#3376) * CVE-2015-9284: follow-up for resotoring single authentication method and ldap * CVE-2015-9284: follow-up for resotoring ldap --- Gemfile | 1 + Gemfile.lock | 2 ++ app/controllers/sessions_controller.rb | 2 +- config/routes.rb | 2 +- 4 files changed, 5 insertions(+), 2 deletions(-) diff --git a/Gemfile b/Gemfile index e5889dd2..9c929bae 100644 --- a/Gemfile +++ b/Gemfile @@ -40,6 +40,7 @@ gem 'random_password', '~> 0.1.1' gem "recaptcha", '~> 5.7.0' gem 'redcarpet', '~> 3.5.1' gem 'remote_syslog_logger', '~> 1.0.4' +gem 'repost', '~> 0.3.8' gem 'rubocop', '~> 1.10.0' gem 'sassc-rails', '~> 2.1.2' gem 'sprockets', '~> 3.7.2' diff --git a/Gemfile.lock b/Gemfile.lock index 6ef7f95e..864f85cc 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -341,6 +341,7 @@ GEM regexp_parser (2.1.1) remote_syslog_logger (1.0.4) syslog_protocol + repost (0.3.8) representable (3.0.4) declarative (< 0.1.0) declarative-option (< 0.2.0) @@ -508,6 +509,7 @@ DEPENDENCIES redcarpet (~> 3.5.1) redis (~> 4.2.5) remote_syslog_logger (~> 1.0.4) + repost (~> 0.3.8) rspec-rails (~> 3.7) rubocop (~> 1.10.0) sassc-rails (~> 2.1.2) diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb index 764ded94..65d9cb28 100644 --- a/app/controllers/sessions_controller.rb +++ b/app/controllers/sessions_controller.rb @@ -39,7 +39,7 @@ class SessionsController < ApplicationController "#{Rails.configuration.relative_url_root}/auth/#{@providers.first}" end - redirect_to provider_path + redirect_post(provider_path, options: { authenticity_token: :auto }) end end diff --git a/config/routes.rb b/config/routes.rb index dba1a55a..7a2801d2 100644 --- a/config/routes.rb +++ b/config/routes.rb @@ -28,7 +28,7 @@ Rails.application.routes.draw do get '/signin', to: 'sessions#signin', as: :signin get '/signup', to: 'sessions#new', as: :signup post '/signup', to: 'users#create', as: :create_user - get '/ldap_signin', to: 'sessions#ldap_signin', as: :ldap_signin + match '/ldap_signin', to: 'sessions#ldap_signin', as: :ldap_signin, via: [:get, :post] # Redirect to terms page match '/terms', to: 'users#terms', via: [:get, :post] -- GitLab