cst1/openstreetmap-website
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Prevent CSRF bypass with login form

Browse source
This commit is contained in:
Tom Hughes 2021-02-10 19:37:51 +00:00
parent a17bd24f82
commit 1f136a84a6
5 changed files with 33 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

2
app/controllers/users_controller.rb
View file

@ -276,7 +276,7 @@ class UsersController < ApplicationController
session[:referer] = safe_referer(params[:referer]) if params[:referer] session[:referer] = safe_referer(params[:referer]) if params[:referer]
if params[:username].present? && params[:password].present? if request.post?
session[:remember_me] ||= params[:remember_me] session[:remember_me] ||= params[:remember_me]
password_authentication(params[:username], params[:password]) password_authentication(params[:username], params[:password])
end end

19
test/controllers/users_controller_test.rb
View file

@ -406,6 +406,25 @@ class UsersControllerTest < ActionDispatch::IntegrationTest
ActionMailer::Base.deliveries.clear ActionMailer::Base.deliveries.clear
end end
def test_login
user = create(:user)
get login_path
assert_response :redirect
assert_redirected_to login_path(:cookie_test => true)
follow_redirect!
assert_response :success
assert_template "login"
get login_path, :params => { :username => user.display_name, :password => "test" }
assert_response :success
assert_template "login"
post login_path, :params => { :username => user.display_name, :password => "test" }
assert_response :redirect
assert_redirected_to root_path
end
def test_logout_without_referer def test_logout_without_referer
post logout_path post logout_path
assert_response :redirect assert_response :redirect

12
test/integration/oauth_test.rb
View file

@ -6,8 +6,9 @@ class OAuthTest < ActionDispatch::IntegrationTest
def test_oauth10_web_app def test_oauth10_web_app
client = create(:client_application, :callback_url => "http://some.web.app.example.org/callback", :allow_read_prefs => true, :allow_write_api => true, :allow_read_gpx => true) client = create(:client_application, :callback_url => "http://some.web.app.example.org/callback", :allow_read_prefs => true, :allow_write_api => true, :allow_read_gpx => true)
post "/login", :params => { :username => client.user.email, :password => "test" } get "/login"
follow_redirect! follow_redirect!
post "/login", :params => { :username => client.user.email, :password => "test" }
follow_redirect! follow_redirect!
assert_response :success assert_response :success
@ -19,8 +20,9 @@ class OAuthTest < ActionDispatch::IntegrationTest
def test_oauth10_desktop_app def test_oauth10_desktop_app
client = create(:client_application, :allow_read_prefs => true, :allow_write_api => true, :allow_read_gpx => true) client = create(:client_application, :allow_read_prefs => true, :allow_write_api => true, :allow_read_gpx => true)
post "/login", :params => { :username => client.user.email, :password => "test" } get "/login"
follow_redirect! follow_redirect!
post "/login", :params => { :username => client.user.email, :password => "test" }
follow_redirect! follow_redirect!
assert_response :success assert_response :success
@ -31,8 +33,9 @@ class OAuthTest < ActionDispatch::IntegrationTest
def test_oauth10a_web_app def test_oauth10a_web_app
client = create(:client_application, :callback_url => "http://some.web.app.example.org/callback", :allow_read_prefs => true, :allow_write_api => true, :allow_read_gpx => true) client = create(:client_application, :callback_url => "http://some.web.app.example.org/callback", :allow_read_prefs => true, :allow_write_api => true, :allow_read_gpx => true)
post "/login", :params => { :username => client.user.email, :password => "test" } get "/login"
follow_redirect! follow_redirect!
post "/login", :params => { :username => client.user.email, :password => "test" }
follow_redirect! follow_redirect!
assert_response :success assert_response :success
@ -44,8 +47,9 @@ class OAuthTest < ActionDispatch::IntegrationTest
def test_oauth10a_desktop_app def test_oauth10a_desktop_app
client = create(:client_application, :allow_read_prefs => true, :allow_write_api => true, :allow_read_gpx => true) client = create(:client_application, :allow_read_prefs => true, :allow_write_api => true, :allow_read_gpx => true)
post "/login", :params => { :username => client.user.email, :password => "test" } get "/login"
follow_redirect! follow_redirect!
post "/login", :params => { :username => client.user.email, :password => "test" }
follow_redirect! follow_redirect!
assert_response :success assert_response :success

4
test/integration/page_locale_test.rb
View file

@ -12,6 +12,8 @@ class PageLocaleTest < ActionDispatch::IntegrationTest
def test_defaulting def test_defaulting
user = create(:user, :languages => []) user = create(:user, :languages => [])
get "/login"
follow_redirect!
post "/login", :params => { :username => user.email, :password => "test" } post "/login", :params => { :username => user.email, :password => "test" }
follow_redirect! follow_redirect!
@ -33,6 +35,8 @@ class PageLocaleTest < ActionDispatch::IntegrationTest
get "/diary", :params => { :locale => "es" } get "/diary", :params => { :locale => "es" }
assert_select "html[lang=?]", "es" assert_select "html[lang=?]", "es"
get "/login"
follow_redirect!
post "/login", :params => { :username => user.email, :password => "test" } post "/login", :params => { :username => user.email, :password => "test" }
follow_redirect! follow_redirect!

1
test/test_helper.rb
View file

@ -243,6 +243,7 @@ module ActiveSupport
end end
def session_for(user) def session_for(user)
get login_path
post login_path, :params => { :username => user.display_name, :password => "test" } post login_path, :params => { :username => user.display_name, :password => "test" }
follow_redirect! follow_redirect!
end end