1
0
Fork 0

Fix Omniauth CSRF (CVE-2015-9284)

This commit is contained in:
Alex Kotov 2019-07-08 19:13:25 +05:00
parent 7085e7c52c
commit 878932fe7b
Signed by: kotovalexarian
GPG key ID: 553C0EBBEB5D5F08
3 changed files with 11 additions and 1 deletions

View file

@ -94,6 +94,12 @@ gem 'interactor', '~> 3.1'
# A generalized Rack framework for multiple-provider authentication.
gem 'omniauth', '~> 1.9'
# This gem provides a mitigation against CVE-2015-9284 (Cross-Site Request
# Forgery on the request phrase when using OmniAuth gem with a Ruby on Rails
# application) by implementing a CSRF token verifier that directly utilize
# `ActionController::RequestForgeryProtection` code from Rails.
gem 'omniauth-rails_csrf_protection', '~> 0.1'
# Official OmniAuth strategy for GitHub.
gem 'omniauth-github', '~> 1.3'

View file

@ -239,6 +239,9 @@ GEM
omniauth-oauth2 (1.6.0)
oauth2 (~> 1.1)
omniauth (~> 1.9)
omniauth-rails_csrf_protection (0.1.2)
actionpack (>= 4.2)
omniauth (>= 1.3.1)
orm_adapter (0.5.0)
parallel (1.17.0)
parser (2.6.3.0)
@ -474,6 +477,7 @@ DEPENDENCIES
listen (>= 3.0.5, < 3.2)
omniauth (~> 1.9)
omniauth-github (~> 1.3)
omniauth-rails_csrf_protection (~> 0.1)
pg (>= 0.18, < 2.0)
pry-doc (~> 1.0)
pry-rails (~> 0.3)

View file

@ -19,7 +19,7 @@
<%- if display_omniauth_links? %>
<%- resource_class.omniauth_providers.each do |provider| %>
<%= link_to translate('.sign_in_with_provider', provider: OmniAuth::Utils.camelize(provider)), omniauth_authorize_path(resource_name, provider) %>
<%= link_to translate('.sign_in_with_provider', provider: OmniAuth::Utils.camelize(provider)), omniauth_authorize_path(resource_name, provider), method: :post %>
<br/>
<% end -%>
<% end -%>