From 0740ac90614228402952c20a6a3f6ece6c25c57d Mon Sep 17 00:00:00 2001 From: Charlie Jonas Date: Sat, 27 Jul 2019 12:46:50 +0200 Subject: [PATCH 1/3] Add vulnerability warning to README This commit adds a warning notice about CVE-2015-9284 and directs the user to the FAQ where they can find steps to mitigate it. --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index b186b01..0d179ce 100644 --- a/README.md +++ b/README.md @@ -122,6 +122,8 @@ environment information on the callback request. It is entirely up to you how you want to implement the particulars of your application's authentication flow. +**Please note:** there is currently a CSRF vulnerability that affects OmniAuth (designated [CVE-2015-9284](https://nvd.nist.gov/vuln/detail/CVE-2015-9284)) that requires mitigation in application itself. More details on how to do this can be found in the [FAQ](https://github.com/omniauth/omniauth/wiki/FAQ#how-do-i-mitigate-cve-2015-9284). + ## Configuring The `origin` Param The `origin` url parameter is typically used to inform where a user came from and where, should you choose to use it, they'd want to return to. From d68adb60399877eb8515ad542bf305a642a4a945 Mon Sep 17 00:00:00 2001 From: Charlie Jonas Date: Fri, 9 Aug 2019 17:11:54 +0100 Subject: [PATCH 2/3] Improve readability --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 0d179ce..b20aeb8 100644 --- a/README.md +++ b/README.md @@ -122,7 +122,7 @@ environment information on the callback request. It is entirely up to you how you want to implement the particulars of your application's authentication flow. -**Please note:** there is currently a CSRF vulnerability that affects OmniAuth (designated [CVE-2015-9284](https://nvd.nist.gov/vuln/detail/CVE-2015-9284)) that requires mitigation in application itself. More details on how to do this can be found in the [FAQ](https://github.com/omniauth/omniauth/wiki/FAQ#how-do-i-mitigate-cve-2015-9284). +**Please note:** there is currently a CSRF vulnerability which affects OmniAuth (designated [CVE-2015-9284](https://nvd.nist.gov/vuln/detail/CVE-2015-9284)) that requires mitigation at the application level. More details on how to do this can be found in the [FAQ](https://github.com/omniauth/omniauth/wiki/FAQ#how-do-i-mitigate-cve-2015-9284). ## Configuring The `origin` Param The `origin` url parameter is typically used to inform where a user came from and where, should you choose to use it, they'd want to return to. From b2697e7e4ce35de999ffea0b2f01ce806f384a3e Mon Sep 17 00:00:00 2001 From: Charlie Jonas Date: Fri, 25 Oct 2019 14:02:35 +0100 Subject: [PATCH 3/3] Update README link location --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index b20aeb8..ec8fad0 100644 --- a/README.md +++ b/README.md @@ -122,7 +122,7 @@ environment information on the callback request. It is entirely up to you how you want to implement the particulars of your application's authentication flow. -**Please note:** there is currently a CSRF vulnerability which affects OmniAuth (designated [CVE-2015-9284](https://nvd.nist.gov/vuln/detail/CVE-2015-9284)) that requires mitigation at the application level. More details on how to do this can be found in the [FAQ](https://github.com/omniauth/omniauth/wiki/FAQ#how-do-i-mitigate-cve-2015-9284). +**Please note:** there is currently a CSRF vulnerability which affects OmniAuth (designated [CVE-2015-9284](https://nvd.nist.gov/vuln/detail/CVE-2015-9284)) that requires mitigation at the application level. More details on how to do this can be found on the [Wiki](https://github.com/omniauth/omniauth/wiki/Resolving-CVE-2015-9284). ## Configuring The `origin` Param The `origin` url parameter is typically used to inform where a user came from and where, should you choose to use it, they'd want to return to.