osr-plastic/osr-discourse-src
Archived
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

SECURITY: correct edge case when SSO provides unvalidated emails

Browse Source
This commit is contained in:
Sam 2018-09-11 08:24:02 +10:00
parent 65cffedc33
commit a5ae7ee8e2
2 changed files with 11 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
app/models/discourse_single_sign_on.rb
View File

@ -160,7 +160,8 @@ class DiscourseSingleSignOn < SingleSignOn
# Use a mutex here to counter SSO requests that are sent at the same time w
# the same email payload
DistributedMutex.synchronize("discourse_single_sign_on_#{email}") do
unless user = User.find_by_email(email)
user = User.find_by_email(email) if !require_activation
if !user
try_name = name.presence
try_username = username.presence

9
spec/models/discourse_single_sign_on_spec.rb
View File

@ -345,6 +345,15 @@ describe DiscourseSingleSignOn do
sso.require_activation = true
user = sso.lookup_or_create_user(ip_address)
expect(user.active).to eq(false)
user.activate
sso.external_id = "B"
expect do
sso.lookup_or_create_user(ip_address)
end.to raise_error(ActiveRecord::RecordInvalid)
end
it 'does not deactivate user if email provided is capitalized' do