diff options
| author | Kerri Miller <kerrizor@kerrizor.com> | 2019-09-23 20:55:32 +0300 |
|---|---|---|
| committer | Kerri Miller <kerrizor@kerrizor.com> | 2019-10-22 19:57:43 +0300 |
| commit | 2a4457ea625b068b56bab4bb97af71f841a6e480 (patch) | |
| tree | 794073b8da32929cb4b79866fd04d3420faf4a39 /app | |
| parent | 1425a56c75beecaa289ad59587d636f8f469509e (diff) | |
Avoid #authenticate_user! in #route_not_found
This method, #route_not_found, is executed as the final fallback for
unrecognized routes (as the name might imply.) We want to avoid
`#authenticate_user!` when calling `#route_not_found`;
`#authenticate_user!` can, depending on the request format, return a 401
instead of redirecting to a login page. This opens a subtle security
exploit where anonymous users will receive a 401 response when
attempting to access a private repo, while a recognized user will
receive a 404, exposing the existence of the private, hidden repo.
Diffstat (limited to 'app')
| -rw-r--r-- | app/controllers/application_controller.rb | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 1443a71f6b1..27e88ae569e 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -16,7 +16,7 @@ class ApplicationController < ActionController::Base include Gitlab::Tracking::ControllerConcern include Gitlab::Experimentation::ControllerConcern - before_action :authenticate_user! + before_action :authenticate_user!, except: [:route_not_found] before_action :enforce_terms!, if: :should_enforce_terms? before_action :validate_user_service_ticket! before_action :check_password_expiration @@ -97,7 +97,9 @@ class ApplicationController < ActionController::Base if current_user not_found else - authenticate_user! + store_location_for(:user, request.fullpath) unless request.xhr? + + redirect_to new_user_session_path, alert: I18n.t('devise.failure.unauthenticated') end end |