omniauth: protect against CSRF
See https://github.com/omniauth/omniauth/wiki/Resolving-CVE-2015-9284
This commit is contained in:
parent
329bfd5f4d
commit
76335511c8
4 changed files with 10 additions and 1 deletions
1
Gemfile
1
Gemfile
|
@ -39,6 +39,7 @@ gem 'lograge'
|
|||
gem 'logstash-event'
|
||||
gem 'mailjet'
|
||||
gem 'omniauth-github'
|
||||
gem 'omniauth-rails_csrf_protection', '~> 0.1'
|
||||
gem 'openid_connect'
|
||||
gem 'openstack'
|
||||
gem 'pg'
|
||||
|
|
|
@ -386,6 +386,9 @@ GEM
|
|||
omniauth-oauth2 (1.6.0)
|
||||
oauth2 (~> 1.1)
|
||||
omniauth (~> 1.9)
|
||||
omniauth-rails_csrf_protection (0.1.2)
|
||||
actionpack (>= 4.2)
|
||||
omniauth (>= 1.3.1)
|
||||
open4 (1.3.4)
|
||||
openid_connect (1.1.6)
|
||||
activemodel
|
||||
|
@ -731,6 +734,7 @@ DEPENDENCIES
|
|||
mailjet
|
||||
mina!
|
||||
omniauth-github
|
||||
omniauth-rails_csrf_protection (~> 0.1)
|
||||
openid_connect
|
||||
openstack
|
||||
pg
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
.super-admin.flex.justify-center
|
||||
%div
|
||||
%h2 Espace Admin
|
||||
= link_to administration_github_omniauth_authorize_path, class: "button large" do
|
||||
= link_to administration_github_omniauth_authorize_path, method: :post, class: "button large" do
|
||||
%span.icon.lock
|
||||
Connexion avec GitHub
|
||||
|
|
4
config/initializers/omniauth.rb
Normal file
4
config/initializers/omniauth.rb
Normal file
|
@ -0,0 +1,4 @@
|
|||
# OmniAuth GET requests may be vulnerable to CSRF.
|
||||
# Ensure that OmniAuth only uses POST requests.
|
||||
# See https://github.com/omniauth/omniauth/wiki/Resolving-CVE-2015-9284
|
||||
OmniAuth.config.allowed_request_methods = [:post]
|
Loading…
Reference in a new issue