From fdc89b1735f32c86badb346d201b978eb0803f53 Mon Sep 17 00:00:00 2001 From: Sam Date: Wed, 3 Sep 2014 12:53:22 +1000 Subject: [PATCH] SECURITY: GitHub authenticator returning unverified emails --- Gemfile | 5 ++++- Gemfile.lock | 4 ++-- lib/auth/github_authenticator.rb | 4 ++-- 3 files changed, 8 insertions(+), 5 deletions(-) diff --git a/Gemfile b/Gemfile index dcbcddfcce6..2acc438c943 100644 --- a/Gemfile +++ b/Gemfile @@ -130,7 +130,10 @@ gem 'omniauth-openid' gem 'openid-redis-store' gem 'omniauth-facebook' gem 'omniauth-twitter' -gem 'omniauth-github' + +# forked while https://github.com/intridea/omniauth-github/pull/41 is being upstreamd +gem 'omniauth-github-discourse', require: 'omniauth-github' + gem 'omniauth-oauth2', require: false gem 'omniauth-google-oauth2' gem 'oj' diff --git a/Gemfile.lock b/Gemfile.lock index d834ee5a5ff..c43b7e85f01 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -206,7 +206,7 @@ GEM rack (~> 1.0) omniauth-facebook (1.6.0) omniauth-oauth2 (~> 1.1) - omniauth-github (1.1.1) + omniauth-github-discourse (1.1.2) omniauth (~> 1.0) omniauth-oauth2 (~> 1.1) omniauth-google-oauth2 (0.2.4) @@ -448,7 +448,7 @@ DEPENDENCIES oj omniauth omniauth-facebook - omniauth-github + omniauth-github-discourse omniauth-google-oauth2 omniauth-oauth2 omniauth-openid diff --git a/lib/auth/github_authenticator.rb b/lib/auth/github_authenticator.rb index 5ca16a551af..256ad095988 100644 --- a/lib/auth/github_authenticator.rb +++ b/lib/auth/github_authenticator.rb @@ -20,10 +20,11 @@ class Auth::GithubAuthenticator < Auth::Authenticator } user_info = GithubUserInfo.find_by(github_user_id: github_user_id) + result.email_valid = !!data["email_verified"] if user_info user = user_info.user - elsif user = User.find_by_email(email) + elsif result.email_valid && (user = User.find_by_email(email)) user_info = GithubUserInfo.create( user_id: user.id, screen_name: screen_name, @@ -32,7 +33,6 @@ class Auth::GithubAuthenticator < Auth::Authenticator end result.user = user - result.email_valid = false result end