diff options
| author | Rémy Coutable <remy@rymai.me> | 2016-11-16 17:28:56 +0000 |
|---|---|---|
| committer | Rémy Coutable <remy@rymai.me> | 2016-11-16 17:28:56 +0000 |
| commit | d1afb845b16b2a252f03e173fcdb0afa572c013a (patch) | |
| tree | e2987e19e88d43617a19524dec27cd2bd3f0d7ff | |
| parent | 2e1fe59e373e4be404b19f4de3c8f44bb07fe91f (diff) | |
| parent | 067da6224ef2cc53ae4ac38e3f3d1c99d1a97f96 (diff) | |
| download | gitlab-ce-d1afb845b16b2a252f03e173fcdb0afa572c013a.tar.gz | |
Merge branch 'fix-shibboleth-auth-with-no-uid' into 'master'
fix shibboleth misconfigurations resulting in authentication bypass
This merge request fixes #22267 where a misconfigured Shibboleth `HTTP_UID` or `HTTP_EPPN` could result in users being logged into an account that did not belong to them.
See merge request !7428
| -rw-r--r-- | changelogs/unreleased/fix-shibboleth-auth-with-no-uid.yml | 4 | ||||
| -rw-r--r-- | config/initializers/devise.rb | 4 |
2 files changed, 8 insertions, 0 deletions
diff --git a/changelogs/unreleased/fix-shibboleth-auth-with-no-uid.yml b/changelogs/unreleased/fix-shibboleth-auth-with-no-uid.yml new file mode 100644 index 00000000000..56fa2170be3 --- /dev/null +++ b/changelogs/unreleased/fix-shibboleth-auth-with-no-uid.yml @@ -0,0 +1,4 @@ +--- +title: fix shibboleth misconfigurations resulting in authentication bypass +merge_request: 7428 +author: diff --git a/config/initializers/devise.rb b/config/initializers/devise.rb index f06c4d4ecf2..a8afc36fc78 100644 --- a/config/initializers/devise.rb +++ b/config/initializers/devise.rb @@ -241,6 +241,10 @@ Devise.setup do |config| end end + if provider['name'] == 'shibboleth' + provider['args'][:fail_with_empty_uid] = true + end + # A Hash from the configuration will be passed as is. provider_arguments << provider['args'].symbolize_keys end |