summaryrefslogtreecommitdiff
path: root/config
diff options
context:
space:
mode:
authorStan Hu <stanhu@gmail.com>2018-09-26 10:53:57 -0700
committerStan Hu <stanhu@gmail.com>2018-09-26 12:20:43 -0700
commit027c3264adbb24a5398241a9eecc218150943cd1 (patch)
tree760bfd85869ca3034b3c366513fa2556a8b03cf3 /config
parent4586d77c85647063675108b0dcdcfebed0c890ca (diff)
downloadgitlab-ce-027c3264adbb24a5398241a9eecc218150943cd1.tar.gz
Guard against a login attempt with invalid CSRF tokensh-guard-against-ldap-login-csrf-fail
If a user logs in with a bad CSRF token, the Warden before_logout hook will be called with no valid user. This would lead to odd Error 500 messages with a backtrace. Addresses part of #50857
Diffstat (limited to 'config')
-rw-r--r--config/initializers/warden.rb5
1 files changed, 5 insertions, 0 deletions
diff --git a/config/initializers/warden.rb b/config/initializers/warden.rb
index 33f55069c3e..1d2bb2bce0a 100644
--- a/config/initializers/warden.rb
+++ b/config/initializers/warden.rb
@@ -31,6 +31,11 @@ Rails.application.configure do |config|
Warden::Manager.before_logout(scope: :user) do |user, auth, opts|
user ||= auth.user
+
+ # Rails CSRF protection may attempt to log out a user before that
+ # user even logs in
+ next unless user
+
activity = Gitlab::Auth::Activity.new(opts)
tracker = Gitlab::Auth::BlockedUserTracker.new(user, auth)