Merge branch 'omniauth-csrf' into 'master'

Protect OmniAuth request phase against CSRF. Addresses #2268. See merge request !1793
author: Dmitriy Zaporozhets <dzaporozhets@gitlab.com> 2015-05-14 14:22:26 +0000
committer: Dmitriy Zaporozhets <dzaporozhets@gitlab.com> 2015-05-14 14:22:26 +0000
commit: c2ee828c19cb245809647428334b8ef215536a0d (patch)
tree: 27a00bc43a61ad5a07a6577281cbb21ea71371d3 /config
parent: 910794bae5a91479f41468ebc345db680a33b20e (diff)
parent: b17f36f040a18ff6700881c56607ba6df436f652 (diff)
download: gitlab-ce-c2ee828c19cb245809647428334b8ef215536a0d.tar.gz
1 files changed, 5 insertions, 0 deletions
diff --git a/config/initializers/7_omniauth.rb b/config/initializers/7_omniauth.rb
index 8f6c5673103..103aa06ca32 100644
--- a/config/initializers/7_omniauth.rb
+++ b/config/initializers/7_omniauth.rb
@@ -10,3 +10,8 @@ if Gitlab::LDAP::Config.enabled?
     alias_method server['provider_name'], :ldap
   end
 end
+
+OmniAuth.config.allowed_request_methods = [:post]
+OmniAuth.config.before_request_phase do |env|
+  OmniAuth::RequestForgeryProtection.new(env).call
+end
author	Dmitriy Zaporozhets <dzaporozhets@gitlab.com>	2015-05-14 14:22:26 +0000
committer	Dmitriy Zaporozhets <dzaporozhets@gitlab.com>	2015-05-14 14:22:26 +0000
commit	c2ee828c19cb245809647428334b8ef215536a0d (patch)
tree	27a00bc43a61ad5a07a6577281cbb21ea71371d3 /config
parent	910794bae5a91479f41468ebc345db680a33b20e (diff)
parent	b17f36f040a18ff6700881c56607ba6df436f652 (diff)
download	gitlab-ce-c2ee828c19cb245809647428334b8ef215536a0d.tar.gz