scinote-eln/scinote-web
1
1
Fork 0
mirror of https://github.com/scinote-eln/scinote-web.git synced 2025-01-24 08:41:56 +08:00
Code Issues Projects Releases Packages Wiki Activity

Fix CVE-2015-9284 omniauth security precautions

Browse source 
Close SCI-3588
This commit is contained in:
Jure Grabnar 2019-07-31 16:59:38 +02:00
parent 6546bd1532
commit d9f6c249f9
3 changed files with 8 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
Gemfile
View file

@ -24,6 +24,9 @@ gem 'yomu'
gem 'doorkeeper', '>= 4.6'
gem 'omniauth'
gem 'omniauth-linkedin-oauth2'
# TODO: remove this when omniauth gem resolves CVE issues
# Prevents CVE-2015-9284 (https://github.com/omniauth/omniauth/wiki/FAQ#cve-2015-9284-warnings)
gem 'omniauth-rails_csrf_protection', '~> 0.1'
# Gems for API implementation

4
Gemfile.lock
View file

@ -353,6 +353,9 @@ GEM
omniauth-oauth2 (1.6.0)
oauth2 (~> 1.1)
omniauth (~> 1.9)
omniauth-rails_csrf_protection (0.1.2)
actionpack (>= 4.2)
omniauth (>= 1.3.1)
orm_adapter (0.5.0)
overcommit (0.47.0)
childprocess (~> 0.6, >= 0.6.3)
@ -627,6 +630,7 @@ DEPENDENCIES
nokogiri (~> 1.10.3)
omniauth
omniauth-linkedin-oauth2
omniauth-rails_csrf_protection (~> 0.1)
overcommit
paperclip (~> 6.1)
pg (~> 1.1.4)

2
app/views/users/shared/_links.html.erb
View file

@ -27,7 +27,7 @@
<%- if Rails.configuration.x.enable_user_registration && Rails.configuration.x.linkedin_signin_enabled && @oauth_authorize != true %>
<%- if devise_mapping.omniauthable? && resource_class.omniauth_providers.any? && controller_name != 'registrations' %>
<%= link_to omniauth_authorize_path(resource_name, :linkedin), method: :post :title => "Sign in with LinkedIn" do %>
<%= link_to omniauth_authorize_path(resource_name, :linkedin), method: :post, :title => "Sign in with LinkedIn" do %>
<%= image_tag('linkedin/Sign-in-Large---Default.png',
class: 'linkedin-signin-button',
alt: "Sign in with LinkedIn",