security issue in returning post parameters from session in callback phase
This commit is contained in:
parent
640e5d9cd5
commit
71866c5264
|
@ -198,7 +198,7 @@ module OmniAuth
|
||||||
setup_phase
|
setup_phase
|
||||||
log :info, 'Request phase initiated.'
|
log :info, 'Request phase initiated.'
|
||||||
# store query params from the request url, extracted in the callback_phase
|
# store query params from the request url, extracted in the callback_phase
|
||||||
session['omniauth.params'] = request.params
|
session['omniauth.params'] = request.GET
|
||||||
OmniAuth.config.before_request_phase.call(env) if OmniAuth.config.before_request_phase
|
OmniAuth.config.before_request_phase.call(env) if OmniAuth.config.before_request_phase
|
||||||
if options.form.respond_to?(:call)
|
if options.form.respond_to?(:call)
|
||||||
log :info, 'Rendering form from supplied Rack endpoint.'
|
log :info, 'Rendering form from supplied Rack endpoint.'
|
||||||
|
@ -265,7 +265,7 @@ module OmniAuth
|
||||||
def mock_request_call
|
def mock_request_call
|
||||||
setup_phase
|
setup_phase
|
||||||
|
|
||||||
session['omniauth.params'] = request.params
|
session['omniauth.params'] = request.GET
|
||||||
OmniAuth.config.before_request_phase.call(env) if OmniAuth.config.before_request_phase
|
OmniAuth.config.before_request_phase.call(env) if OmniAuth.config.before_request_phase
|
||||||
if request.params['origin']
|
if request.params['origin']
|
||||||
@env['rack.session']['omniauth.origin'] = request.params['origin']
|
@env['rack.session']['omniauth.origin'] = request.params['origin']
|
||||||
|
|
|
@ -685,13 +685,24 @@ describe OmniAuth::Strategy do
|
||||||
expect(strategy.env['foobar']).to eq('baz')
|
expect(strategy.env['foobar']).to eq('baz')
|
||||||
end
|
end
|
||||||
|
|
||||||
it 'sets omniauth.params on the request phase' do
|
it 'sets omniauth.params with query params on the request phase' do
|
||||||
OmniAuth.config.mock_auth[:test] = {}
|
OmniAuth.config.mock_auth[:test] = {}
|
||||||
|
|
||||||
strategy.call(make_env('/auth/test', 'QUERY_STRING' => 'foo=bar'))
|
strategy.call(make_env('/auth/test', 'QUERY_STRING' => 'foo=bar'))
|
||||||
expect(strategy.env['rack.session']['omniauth.params']).to eq('foo' => 'bar')
|
expect(strategy.env['rack.session']['omniauth.params']).to eq('foo' => 'bar')
|
||||||
end
|
end
|
||||||
|
|
||||||
|
it 'does not set body parameters of POST request on the request phase' do
|
||||||
|
OmniAuth.config.mock_auth[:test] = {}
|
||||||
|
|
||||||
|
props = {
|
||||||
|
'REQUEST_METHOD' => 'POST',
|
||||||
|
'rack.input' => StringIO.new('foo=bar')
|
||||||
|
}
|
||||||
|
strategy.call(make_env('/auth/test', props))
|
||||||
|
expect(strategy.env['rack.session']['omniauth.params']).to eq({})
|
||||||
|
end
|
||||||
|
|
||||||
it 'executes request hook on the request phase' do
|
it 'executes request hook on the request phase' do
|
||||||
OmniAuth.config.mock_auth[:test] = {}
|
OmniAuth.config.mock_auth[:test] = {}
|
||||||
OmniAuth.config.before_request_phase do |env|
|
OmniAuth.config.before_request_phase do |env|
|
||||||
|
|
Loading…
Reference in New Issue