SECURITY: GitHub authenticator returning unverified emails

Gemfile

@@ -130,7 +130,10 @@ gem 'omniauth-openid'
 gem 'openid-redis-store'
 gem 'omniauth-facebook'
 gem 'omniauth-twitter'
-gem 'omniauth-github'
+
+# forked while https://github.com/intridea/omniauth-github/pull/41 is being upstreamd
+gem 'omniauth-github-discourse', require: 'omniauth-github'
+
 gem 'omniauth-oauth2', require: false
 gem 'omniauth-google-oauth2'
 gem 'oj'

Gemfile.lock

@@ -206,7 +206,7 @@ GEM
       rack (~> 1.0)
     omniauth-facebook (1.6.0)
       omniauth-oauth2 (~> 1.1)
-    omniauth-github (1.1.1)
+    omniauth-github-discourse (1.1.2)
       omniauth (~> 1.0)
       omniauth-oauth2 (~> 1.1)
     omniauth-google-oauth2 (0.2.4)
@@ -448,7 +448,7 @@ DEPENDENCIES
   oj
   omniauth
   omniauth-facebook
-  omniauth-github
+  omniauth-github-discourse
   omniauth-google-oauth2
   omniauth-oauth2
   omniauth-openid

lib/auth/github_authenticator.rb

@@ -20,10 +20,11 @@ class Auth::GithubAuthenticator < Auth::Authenticator
     }
 
     user_info = GithubUserInfo.find_by(github_user_id: github_user_id)
+    result.email_valid = !!data["email_verified"]
 
     if user_info
       user = user_info.user
-    elsif user = User.find_by_email(email)
+    elsif result.email_valid && (user = User.find_by_email(email))
       user_info = GithubUserInfo.create(
           user_id: user.id,
           screen_name: screen_name,
@@ -32,7 +33,6 @@ class Auth::GithubAuthenticator < Auth::Authenticator
     end
 
     result.user = user
-    result.email_valid = false
 
     result
   end