From a5ae7ee8e2184993f8d92887c942ee929bebe8ee Mon Sep 17 00:00:00 2001 From: Sam Date: Tue, 11 Sep 2018 08:24:02 +1000 Subject: [PATCH] SECURITY: correct edge case when SSO provides unvalidated emails --- app/models/discourse_single_sign_on.rb | 3 ++- spec/models/discourse_single_sign_on_spec.rb | 9 +++++++++ 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/app/models/discourse_single_sign_on.rb b/app/models/discourse_single_sign_on.rb index 9cc89bbcdc..5becc1e08c 100644 --- a/app/models/discourse_single_sign_on.rb +++ b/app/models/discourse_single_sign_on.rb @@ -160,7 +160,8 @@ class DiscourseSingleSignOn < SingleSignOn # Use a mutex here to counter SSO requests that are sent at the same time w # the same email payload DistributedMutex.synchronize("discourse_single_sign_on_#{email}") do - unless user = User.find_by_email(email) + user = User.find_by_email(email) if !require_activation + if !user try_name = name.presence try_username = username.presence diff --git a/spec/models/discourse_single_sign_on_spec.rb b/spec/models/discourse_single_sign_on_spec.rb index 8d7ddf0a3e..4d856fa8b2 100644 --- a/spec/models/discourse_single_sign_on_spec.rb +++ b/spec/models/discourse_single_sign_on_spec.rb @@ -345,6 +345,15 @@ describe DiscourseSingleSignOn do sso.require_activation = true user = sso.lookup_or_create_user(ip_address) expect(user.active).to eq(false) + + user.activate + + sso.external_id = "B" + + expect do + sso.lookup_or_create_user(ip_address) + end.to raise_error(ActiveRecord::RecordInvalid) + end it 'does not deactivate user if email provided is capitalized' do