diff options
author | GitLab Release Tools Bot <robert+release-tools@gitlab.com> | 2019-10-25 15:09:03 +0300 |
---|---|---|
committer | GitLab Release Tools Bot <robert+release-tools@gitlab.com> | 2019-10-25 15:09:03 +0300 |
commit | 4f3324982038cfd26ad9326d519e8a6d7a12d992 (patch) | |
tree | 511019a33b978179e1bdb0b559b7fff65f5f5e75 /app | |
parent | 44612c0c9f0e73c5fb4f700886100b7cdc8f7b10 (diff) | |
parent | 2a4457ea625b068b56bab4bb97af71f841a6e480 (diff) |
Merge branch 'security-remove-leaky-401-responses-12.4' into '12-4-stable'
Private/internal repository enumeration via bruteforce on a vulnerable URL
See merge request gitlab/gitlabhq!3491
Diffstat (limited to 'app')
-rw-r--r-- | app/controllers/application_controller.rb | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 1443a71f6b1..27e88ae569e 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -16,7 +16,7 @@ class ApplicationController < ActionController::Base include Gitlab::Tracking::ControllerConcern include Gitlab::Experimentation::ControllerConcern - before_action :authenticate_user! + before_action :authenticate_user!, except: [:route_not_found] before_action :enforce_terms!, if: :should_enforce_terms? before_action :validate_user_service_ticket! before_action :check_password_expiration @@ -97,7 +97,9 @@ class ApplicationController < ActionController::Base if current_user not_found else - authenticate_user! + store_location_for(:user, request.fullpath) unless request.xhr? + + redirect_to new_user_session_path, alert: I18n.t('devise.failure.unauthenticated') end end |