github-mirror/discourse
github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-03-22 05:25:33 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

SECURITY: correct edge case when SSO provides unvalidated emails

Browse Source
This commit is contained in:
Sam 2018-09-11 08:24:02 +10:00
parent 80eace4268
commit e64402cb3b
2 changed files with 11 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
app/models/discourse_single_sign_on.rb
View File

@ -162,7 +162,8 @@ class DiscourseSingleSignOn < SingleSignOn
# Use a mutex here to counter SSO requests that are sent at the same time w # Use a mutex here to counter SSO requests that are sent at the same time w
# the same email payload # the same email payload
DistributedMutex.synchronize("discourse_single_sign_on_#{email}") do DistributedMutex.synchronize("discourse_single_sign_on_#{email}") do
unless user = User.find_by_email(email) user = User.find_by_email(email) if !require_activation
if !user
try_name = name.presence try_name = name.presence
try_username = username.presence try_username = username.presence

9
spec/models/discourse_single_sign_on_spec.rb
View File

@ -377,6 +377,15 @@ describe DiscourseSingleSignOn do
sso.require_activation = true sso.require_activation = true
user = sso.lookup_or_create_user(ip_address) user = sso.lookup_or_create_user(ip_address)
expect(user.active).to eq(false) expect(user.active).to eq(false)
user.activate
sso.external_id = "B"
expect do
sso.lookup_or_create_user(ip_address)
end.to raise_error(ActiveRecord::RecordInvalid)
end end
it 'does not deactivate user if email provided is capitalized' do it 'does not deactivate user if email provided is capitalized' do