Welcome to mirror list, hosted at ThFree Co, Russian Federation.

gitlab.com/gitlab-org/gitlab-foss.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
path: root/app/controllers/omniauth_callbacks_controller.rb
diff options
context:
space:
mode:
authorJames Edwards-Jones <jedwardsjones@gitlab.com>2019-01-19 23:41:39 +0300
committerJames Edwards-Jones <jedwardsjones@gitlab.com>2019-02-04 13:10:51 +0300
commit6548e01f18c24ec8703bb85557d7509dbeace013 (patch)
treee413188194b17a41c42f19e324c625348e88cd46 /app/controllers/omniauth_callbacks_controller.rb
parentd4d4ebadfb373518013382560b1f505eb6217f13 (diff)
Avoid CSRF check on SAML failure endpoint
SAML and OAuth failures should cause a message to be presented, as well as logging that an attempt was made. These were incorrectly prevented by the CSRF check on POST endpoints such as SAML. In addition we were using a NullSession forgery protection, which made testing more difficult and could have allowed account linking to take place if a CSRF was ever needed but not present.
Diffstat (limited to 'app/controllers/omniauth_callbacks_controller.rb')
-rw-r--r--app/controllers/omniauth_callbacks_controller.rb2
1 files changed, 1 insertions, 1 deletions
diff --git a/app/controllers/omniauth_callbacks_controller.rb b/app/controllers/omniauth_callbacks_controller.rb
index f8e482937d5..97120273d6b 100644
--- a/app/controllers/omniauth_callbacks_controller.rb
+++ b/app/controllers/omniauth_callbacks_controller.rb
@@ -4,7 +4,7 @@ class OmniauthCallbacksController < Devise::OmniauthCallbacksController
include AuthenticatesWithTwoFactor
include Devise::Controllers::Rememberable
- protect_from_forgery except: [:kerberos, :saml, :cas3], prepend: true
+ protect_from_forgery except: [:kerberos, :saml, :cas3, :failure], with: :exception, prepend: true
def handle_omniauth
omniauth_flow(Gitlab::Auth::OAuth)
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-04 17:59:05 +0300