diff options
author | Sebastian Arcila Valenzuela <sarcila@gitlab.com> | 2019-08-12 16:41:05 +0300 |
---|---|---|
committer | Sebastian Arcila Valenzuela <sarcila@gitlab.com> | 2019-08-21 14:19:18 +0300 |
commit | 0c21854764464bd110b505d689b3fa112936944f (patch) | |
tree | dd5610fea47c83c6a1bc7aed1ecdc73840f9c201 /changelogs | |
parent | 4a6d22ba439cb20937669c4aa2046acffb36a60e (diff) |
Add User#will_save_change_to_login? to clear reset_password_tokens
Devise checks before updating any of the authentication_keys if it
needs to clear the reset_password_tokens.
This should fix:
https://gitlab.com/gitlab-org/gitlab-ce/issues/42733 (Weak
authentication and session management)
Diffstat (limited to 'changelogs')
-rw-r--r-- | changelogs/unreleased/security-sarcila-fix-weak-session-management.yml | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/changelogs/unreleased/security-sarcila-fix-weak-session-management.yml b/changelogs/unreleased/security-sarcila-fix-weak-session-management.yml new file mode 100644 index 00000000000..a37a3099519 --- /dev/null +++ b/changelogs/unreleased/security-sarcila-fix-weak-session-management.yml @@ -0,0 +1,6 @@ +--- +title: Fix weak session management by clearing password reset tokens after login (username/email) + are updated +merge_request: +author: +type: security |