diff options
author | Tiger <twatson@gitlab.com> | 2019-02-13 11:11:28 +1100 |
---|---|---|
committer | Tiger <twatson@gitlab.com> | 2019-02-19 17:22:50 +1100 |
commit | 1461913399038aefd786dc807ee5e3361639a565 (patch) | |
tree | fb0991ae6d11ce7c3837ce1b84712db94466420b /changelogs | |
parent | c5b5b18b3f1c5b683ceb4471e667d675de9200eb (diff) | |
download | gitlab-ce-1461913399038aefd786dc807ee5e3361639a565.tar.gz |
Validate session key when authorizing with GCP to create a cluster
It was previously possible to link a GCP account to another
user's GitLab account by having them visit the callback URL,
as there was no check that they were the initiator of the
request.
We now reject the callback unless the state parameter
matches the one added to the initiating user's session.
Diffstat (limited to 'changelogs')
-rw-r--r-- | changelogs/unreleased/security-kubernetes-google-login-csrf.yml | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/changelogs/unreleased/security-kubernetes-google-login-csrf.yml b/changelogs/unreleased/security-kubernetes-google-login-csrf.yml new file mode 100644 index 00000000000..2f87100a8dd --- /dev/null +++ b/changelogs/unreleased/security-kubernetes-google-login-csrf.yml @@ -0,0 +1,5 @@ +--- +title: Validate session key when authorizing with GCP to create a cluster +merge_request: +author: +type: security |