diff options
| author | Stan Hu <stanhu@gmail.com> | 2018-09-26 10:53:57 -0700 |
|---|---|---|
| committer | Stan Hu <stanhu@gmail.com> | 2018-09-26 12:20:43 -0700 |
| commit | 027c3264adbb24a5398241a9eecc218150943cd1 (patch) | |
| tree | 760bfd85869ca3034b3c366513fa2556a8b03cf3 | |
| parent | 4586d77c85647063675108b0dcdcfebed0c890ca (diff) | |
| download | gitlab-ce-027c3264adbb24a5398241a9eecc218150943cd1.tar.gz | |
Guard against a login attempt with invalid CSRF tokensh-guard-against-ldap-login-csrf-fail
If a user logs in with a bad CSRF token, the Warden before_logout
hook will be called with no valid user. This would lead to odd
Error 500 messages with a backtrace.
Addresses part of #50857
| -rw-r--r-- | changelogs/unreleased/sh-guard-against-ldap-login-csrf-fail.yml | 5 | ||||
| -rw-r--r-- | config/initializers/warden.rb | 5 |
2 files changed, 10 insertions, 0 deletions
diff --git a/changelogs/unreleased/sh-guard-against-ldap-login-csrf-fail.yml b/changelogs/unreleased/sh-guard-against-ldap-login-csrf-fail.yml new file mode 100644 index 00000000000..7233f6f3d7b --- /dev/null +++ b/changelogs/unreleased/sh-guard-against-ldap-login-csrf-fail.yml @@ -0,0 +1,5 @@ +--- +title: Guard against a login attempt with invalid CSRF token +merge_request: 21934 +author: +type: fixed diff --git a/config/initializers/warden.rb b/config/initializers/warden.rb index 33f55069c3e..1d2bb2bce0a 100644 --- a/config/initializers/warden.rb +++ b/config/initializers/warden.rb @@ -31,6 +31,11 @@ Rails.application.configure do |config| Warden::Manager.before_logout(scope: :user) do |user, auth, opts| user ||= auth.user + + # Rails CSRF protection may attempt to log out a user before that + # user even logs in + next unless user + activity = Gitlab::Auth::Activity.new(opts) tracker = Gitlab::Auth::BlockedUserTracker.new(user, auth) |