kotovalexarian-likes-gitlab/gitlab-org--gitlab-foss
1
0
Fork 0
Code Releases Activity

Guard against a login attempt with invalid CSRF token

Browse source 
If a user logs in with a bad CSRF token, the Warden before_logout
hook will be called with no valid user. This would lead to odd
Error 500 messages with a backtrace.

Addresses part of #50857
This commit is contained in:
Stan Hu 2018-09-26 10:53:57 -07:00
parent 4586d77c85
commit 027c3264ad
2 changed files with 10 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
changelogs/unreleased/sh-guard-against-ldap-login-csrf-fail.yml Normal file
View file

@ -0,0 +1,5 @@
---
title: Guard against a login attempt with invalid CSRF token
merge_request: 21934
author:
type: fixed

5
config/initializers/warden.rb
View file

@ -31,6 +31,11 @@ Rails.application.configure do |config|
Warden::Manager.before_logout(scope: :user) do |user, auth, opts|
user ||= auth.user
# Rails CSRF protection may attempt to log out a user before that
# user even logs in
next unless user
activity = Gitlab::Auth::Activity.new(opts)
tracker = Gitlab::Auth::BlockedUserTracker.new(user, auth)