diff options
author | Kamil Trzcinski <ayufan@ayufan.eu> | 2015-07-08 15:41:09 +0200 |
---|---|---|
committer | Kamil Trzcinski <ayufan@ayufan.eu> | 2015-07-08 15:41:09 +0200 |
commit | 809c4a10ccd51a7bec3b7bbc22b4f95238a32553 (patch) | |
tree | 776cfb0154cd64dba7e70c7887d4be2571e304b9 /app/helpers | |
parent | 65b38e5bc1b575c104a4209501b48dda60a3ca89 (diff) | |
download | gitlab-ci-809c4a10ccd51a7bec3b7bbc22b4f95238a32553.tar.gz |
Don't use return_to, but instead pass state with signed return_to parameter
Diffstat (limited to 'app/helpers')
-rw-r--r-- | app/helpers/user_sessions_helper.rb | 15 |
1 files changed, 8 insertions, 7 deletions
diff --git a/app/helpers/user_sessions_helper.rb b/app/helpers/user_sessions_helper.rb index e5853b5..df158c6 100644 --- a/app/helpers/user_sessions_helper.rb +++ b/app/helpers/user_sessions_helper.rb @@ -3,17 +3,18 @@ module UserSessionsHelper SecureRandom.hex(16) end - def generate_oauth_secret(salt, return_to) + def generate_oauth_hmac(salt, return_to) return unless return_to - message = GitlabCi::Application.config.secret_key_base + salt + return_to - Digest::SHA256.hexdigest message + digest = OpenSSL::Digest.new('sha256') + key = GitlabCi::Application.config.secret_key_base + salt + OpenSSL::HMAC.hexdigest(digest, key, return_to) end def generate_oauth_state(return_to) return unless return_to salt = generate_oauth_salt - secret = generate_oauth_secret(salt, return_to) - "#{salt}:#{secret}:#{return_to}" + hmac = generate_oauth_hmac(salt, return_to) + "#{salt}:#{hmac}:#{return_to}" end def get_ouath_state_return_to(state) @@ -22,8 +23,8 @@ module UserSessionsHelper def is_oauth_state_valid?(state) return true unless state - salt, secret, return_to = state.split(':', 3) + salt, hmac, return_to = state.split(':', 3) return false unless return_to - secret == generate_oauth_secret(salt, return_to) + hmac == generate_oauth_hmac(salt, return_to) end end |