diff options
| author | Douwe Maan <douwe@gitlab.com> | 2017-11-07 08:33:58 +0000 |
|---|---|---|
| committer | Lin Jen-Shin <godfat@godfat.org> | 2017-11-10 16:26:53 +0800 |
| commit | ab1f3b47a84b3d2944891216403b89042a8ab3a3 (patch) | |
| tree | 11f0240c66d670916d0e793e6c653fe43b941a34 /app/views/doorkeeper | |
| parent | 304ceb144cca36dbcefcfb508b0dac220f76c9e1 (diff) | |
| download | gitlab-ce-ab1f3b47a84b3d2944891216403b89042a8ab3a3.tar.gz | |
Merge branch '32059-fix-oauth-phishing' into 'security-10-1'
Prevent OAuth phishing attack by presenting detailed wording about app to user during authorization
See merge request gitlab/gitlabhq!2205
Diffstat (limited to 'app/views/doorkeeper')
| -rw-r--r-- | app/views/doorkeeper/applications/_form.html.haml | 2 | ||||
| -rw-r--r-- | app/views/doorkeeper/authorizations/new.html.haml | 19 |
2 files changed, 15 insertions, 6 deletions
diff --git a/app/views/doorkeeper/applications/_form.html.haml b/app/views/doorkeeper/applications/_form.html.haml index b3313c7c985..cf0e0de1ca4 100644 --- a/app/views/doorkeeper/applications/_form.html.haml +++ b/app/views/doorkeeper/applications/_form.html.haml @@ -1,4 +1,4 @@ -= form_for application, url: doorkeeper_submit_path(application), html: {role: 'form'} do |f| += form_for application, url: doorkeeper_submit_path(application), html: { role: 'form', class: 'doorkeeper-app-form' } do |f| = form_errors(application) .form-group diff --git a/app/views/doorkeeper/authorizations/new.html.haml b/app/views/doorkeeper/authorizations/new.html.haml index 8ba88906714..85e4170aee9 100644 --- a/app/views/doorkeeper/authorizations/new.html.haml +++ b/app/views/doorkeeper/authorizations/new.html.haml @@ -1,5 +1,7 @@ +- auth_app_owner = @pre_auth.client.application.owner + %main{ :role => "main" } - .modal-no-backdrop + .modal-no-backdrop.modal-doorkeepr-auth .modal-content .modal-header %h3.page-title @@ -16,14 +18,21 @@ %strong= @pre_auth.client.name will allow them to interact with GitLab as an admin as well. Proceed with caution. %p - You are about to authorize + An application called = link_to @pre_auth.client.name, @pre_auth.redirect_uri, target: '_blank', rel: 'noopener noreferrer' - to use your account. - - if @pre_auth.scopes + is requesting access to your GitLab account. This application was created by + = succeed "." do + = link_to auth_app_owner.name, user_path(auth_app_owner) + Please note that this application is not provided by GitLab and you should verify its authenticity before + allowing access. + - if @pre_auth.scopes + %p This application will be able to: %ul - @pre_auth.scopes.each do |scope| - %li= t scope, scope: [:doorkeeper, :scopes] + %li + %strong= t scope, scope: [:doorkeeper, :scopes] + .scope-description= t scope, scope: [:doorkeeper, :scope_desc] .form-actions.text-right = form_tag oauth_authorization_path, method: :delete, class: 'inline' do = hidden_field_tag :client_id, @pre_auth.client.uid |