gitlab-org--gitlab-foss

History

Rémy Coutable 237324cc17 Merge branch 'fix/2fa-authentication-spoofing' into 'master' Fix 2FA authentication spoofing ## Summary This is security fix for vulnerability described at https://gitlab.com/gitlab-org/gitlab-ce/issues/14900. Attacker was able to bypass password authentication of users that have 2FA enabled, and consequently sign is as a different user, without knowing his password, if he managed to guess 2FA One Time Password for that user. It was also possible to enumerate users and check if they have 2FA enabled, because GitLab responded with different error for each case. ## Fix This MR attempts to change default user search scope if `otp_user_id` session variable has been set. If it is present, it means that user has 2FA enabled, and has already been verified with login and password. In this case we should look for user with `otp_user_id` first, before picking it up by `login`. Both, 2FA authentication spoofing and 2FA discovery have been covered by specs. ## Further work Current 2FA code is a bit tricky, so it probably needs some refactoring. See merge request !1947		2016-04-07 11:56:44 +00:00
..
admin	Fixes #14638 .	2016-04-06 13:56:28 -03:00
ci	Redirect to root path when visiting `/ci`	2016-03-29 08:04:17 +02:00
concerns	Use respond_to instead of a conditional to paginate milestones	2016-03-23 12:02:15 +01:00
dashboard	Add missing Dashboard::LabelsController	2016-03-23 12:02:15 +01:00
explore	Merge branch 'master' into issue_12658	2016-03-21 23:22:21 +01:00
groups	Use respond_to instead of a conditional to paginate milestones	2016-03-23 12:02:15 +01:00
import	Redirect to a default path if HTTP_REFERER is not set	2015-10-20 07:45:48 -07:00
oauth	Merge branch 'fix/gitlab-omniauth-issue' into 'master'	2016-03-19 19:03:33 +00:00
profiles	Don't abuse the flash store for displaying SSH Key form errors	2016-03-03 16:13:59 -05:00
projects	Merge branch 'feature/expose-builds-badge' into 'master'	2016-04-07 08:40:15 +00:00
sherlock	Added Sherlock, a custom profiling tool for GitLab	2015-11-09 14:29:10 +01:00
abuse_reports_controller.rb	Autofill abuse message text with user url. Closes #2838	2016-01-16 10:47:12 -05:00
application_controller.rb	Merge branch 'master' into issue_12658	2016-03-21 23:22:21 +01:00
autocomplete_controller.rb	Use the configured Kaminari "per page" default	2016-03-19 17:37:54 -04:00
confirmations_controller.rb	…
dashboard_controller.rb	Fix an issue causing the Dashboard/Milestones page to be blank	2016-03-23 12:02:15 +01:00
emojis_controller.rb	Update award_emoji test	2016-02-23 19:37:15 -06:00
groups_controller.rb	Merge branch 'master' into issue_12658	2016-03-21 23:22:21 +01:00
help_controller.rb	…
invites_controller.rb	Redirect to a default path if HTTP_REFERER is not set	2015-10-20 07:45:48 -07:00
namespaces_controller.rb	Prevent projects to have higher visibility than groups	2016-03-10 10:38:36 -03:00
omniauth_callbacks_controller.rb	Avoid saving again if the user attributes haven't changed	2016-04-04 19:10:59 -05:00
passwords_controller.rb	Allow the initial admin to set a password	2016-03-04 17:37:57 -05:00
profiles_controller.rb	Merge branch 'master' into issue_7959	2016-03-22 11:13:27 -05:00
projects_controller.rb	Fix Error 500 after renaming a project path	2016-04-05 11:18:13 -07:00
registrations_controller.rb	Partially revert "Add IP check against DNSBLs at account sign-up"	2016-01-28 16:28:19 -05:00
root_controller.rb	Implementing 'Groups View' and 'TODOs View' as options for dashboard preferences.	2016-03-24 19:59:54 +01:00
search_controller.rb	Enable search for logged-out users	2016-03-01 15:57:28 +01:00
sent_notifications_controller.rb	#can_unsubscribe? -> #?unsubscribable?	2016-01-11 14:23:45 +01:00
sessions_controller.rb	Fix 2FA authentication spoofing vulnerability	2016-04-07 11:19:29 +02:00
snippets_controller.rb	Use the configured Kaminari "per page" default	2016-03-19 17:37:54 -04:00
uploads_controller.rb	Branded login page also in CE	2016-02-26 15:50:51 +01:00
users_controller.rb	Merge branch 'master' into issue_12658	2016-03-21 23:22:21 +01:00