summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRémy Coutable <remy@rymai.me>2016-11-16 17:28:56 +0000
committerRémy Coutable <remy@rymai.me>2016-11-16 17:28:56 +0000
commitd1afb845b16b2a252f03e173fcdb0afa572c013a (patch)
treee2987e19e88d43617a19524dec27cd2bd3f0d7ff
parent2e1fe59e373e4be404b19f4de3c8f44bb07fe91f (diff)
parent067da6224ef2cc53ae4ac38e3f3d1c99d1a97f96 (diff)
downloadgitlab-ce-d1afb845b16b2a252f03e173fcdb0afa572c013a.tar.gz
Merge branch 'fix-shibboleth-auth-with-no-uid' into 'master'
fix shibboleth misconfigurations resulting in authentication bypass This merge request fixes #22267 where a misconfigured Shibboleth `HTTP_UID` or `HTTP_EPPN` could result in users being logged into an account that did not belong to them. See merge request !7428
-rw-r--r--changelogs/unreleased/fix-shibboleth-auth-with-no-uid.yml4
-rw-r--r--config/initializers/devise.rb4
2 files changed, 8 insertions, 0 deletions
diff --git a/changelogs/unreleased/fix-shibboleth-auth-with-no-uid.yml b/changelogs/unreleased/fix-shibboleth-auth-with-no-uid.yml
new file mode 100644
index 00000000000..56fa2170be3
--- /dev/null
+++ b/changelogs/unreleased/fix-shibboleth-auth-with-no-uid.yml
@@ -0,0 +1,4 @@
+---
+title: fix shibboleth misconfigurations resulting in authentication bypass
+merge_request: 7428
+author:
diff --git a/config/initializers/devise.rb b/config/initializers/devise.rb
index f06c4d4ecf2..a8afc36fc78 100644
--- a/config/initializers/devise.rb
+++ b/config/initializers/devise.rb
@@ -241,6 +241,10 @@ Devise.setup do |config|
end
end
+ if provider['name'] == 'shibboleth'
+ provider['args'][:fail_with_empty_uid] = true
+ end
+
# A Hash from the configuration will be passed as is.
provider_arguments << provider['args'].symbolize_keys
end