Fix Omniauth CSRF (CVE-2015-9284)
This commit is contained in:
parent
7085e7c52c
commit
878932fe7b
3 changed files with 11 additions and 1 deletions
6
Gemfile
6
Gemfile
|
@ -94,6 +94,12 @@ gem 'interactor', '~> 3.1'
|
|||
# A generalized Rack framework for multiple-provider authentication.
|
||||
gem 'omniauth', '~> 1.9'
|
||||
|
||||
# This gem provides a mitigation against CVE-2015-9284 (Cross-Site Request
|
||||
# Forgery on the request phrase when using OmniAuth gem with a Ruby on Rails
|
||||
# application) by implementing a CSRF token verifier that directly utilize
|
||||
# `ActionController::RequestForgeryProtection` code from Rails.
|
||||
gem 'omniauth-rails_csrf_protection', '~> 0.1'
|
||||
|
||||
# Official OmniAuth strategy for GitHub.
|
||||
gem 'omniauth-github', '~> 1.3'
|
||||
|
||||
|
|
|
@ -239,6 +239,9 @@ GEM
|
|||
omniauth-oauth2 (1.6.0)
|
||||
oauth2 (~> 1.1)
|
||||
omniauth (~> 1.9)
|
||||
omniauth-rails_csrf_protection (0.1.2)
|
||||
actionpack (>= 4.2)
|
||||
omniauth (>= 1.3.1)
|
||||
orm_adapter (0.5.0)
|
||||
parallel (1.17.0)
|
||||
parser (2.6.3.0)
|
||||
|
@ -474,6 +477,7 @@ DEPENDENCIES
|
|||
listen (>= 3.0.5, < 3.2)
|
||||
omniauth (~> 1.9)
|
||||
omniauth-github (~> 1.3)
|
||||
omniauth-rails_csrf_protection (~> 0.1)
|
||||
pg (>= 0.18, < 2.0)
|
||||
pry-doc (~> 1.0)
|
||||
pry-rails (~> 0.3)
|
||||
|
|
|
@ -19,7 +19,7 @@
|
|||
|
||||
<%- if display_omniauth_links? %>
|
||||
<%- resource_class.omniauth_providers.each do |provider| %>
|
||||
<%= link_to translate('.sign_in_with_provider', provider: OmniAuth::Utils.camelize(provider)), omniauth_authorize_path(resource_name, provider) %>
|
||||
<%= link_to translate('.sign_in_with_provider', provider: OmniAuth::Utils.camelize(provider)), omniauth_authorize_path(resource_name, provider), method: :post %>
|
||||
<br/>
|
||||
<% end -%>
|
||||
<% end -%>
|
||||
|
|
Reference in a new issue