Merge branch 'sh-guard-against-ldap-login-csrf-fail' into 'master'

Guard against a login attempt with invalid CSRF token See merge request gitlab-org/gitlab-ce!21934
author: Rémy Coutable <remy@rymai.me> 2018-09-27 08:47:16 +0000
committer: Rémy Coutable <remy@rymai.me> 2018-09-27 08:47:16 +0000
commit: caac73c8ac3b463dcbdfbcc7734f78fd9d6f7da2 (patch)
tree: 05e14c0e10b6df6fe9f198680ba1f731f3576e03
parent: 98a14fb6d2ecafa231bae1d5f43bcf23db987e05 (diff)
parent: 027c3264adbb24a5398241a9eecc218150943cd1 (diff)
download: gitlab-ce-caac73c8ac3b463dcbdfbcc7734f78fd9d6f7da2.tar.gz
2 files changed, 10 insertions, 0 deletions
diff --git a/changelogs/unreleased/sh-guard-against-ldap-login-csrf-fail.yml b/changelogs/unreleased/sh-guard-against-ldap-login-csrf-fail.yml
new file mode 100644
index 00000000000..7233f6f3d7b
--- /dev/null
+++ b/changelogs/unreleased/sh-guard-against-ldap-login-csrf-fail.yml
@@ -0,0 +1,5 @@
+---
+title: Guard against a login attempt with invalid CSRF token
+merge_request: 21934
+author:
+type: fixed
diff --git a/config/initializers/warden.rb b/config/initializers/warden.rb
index 33f55069c3e..1d2bb2bce0a 100644
--- a/config/initializers/warden.rb
+++ b/config/initializers/warden.rb
@@ -31,6 +31,11 @@ Rails.application.configure do |config|
 
   Warden::Manager.before_logout(scope: :user) do |user, auth, opts|
     user ||= auth.user
+
+    # Rails CSRF protection may attempt to log out a user before that
+    # user even logs in
+    next unless user
+
     activity = Gitlab::Auth::Activity.new(opts)
     tracker = Gitlab::Auth::BlockedUserTracker.new(user, auth)
author	Rémy Coutable <remy@rymai.me>	2018-09-27 08:47:16 +0000
committer	Rémy Coutable <remy@rymai.me>	2018-09-27 08:47:16 +0000
commit	caac73c8ac3b463dcbdfbcc7734f78fd9d6f7da2 (patch)
tree	05e14c0e10b6df6fe9f198680ba1f731f3576e03
parent	98a14fb6d2ecafa231bae1d5f43bcf23db987e05 (diff)
parent	027c3264adbb24a5398241a9eecc218150943cd1 (diff)
download	gitlab-ce-caac73c8ac3b463dcbdfbcc7734f78fd9d6f7da2.tar.gz