Merge branch 'sh-guard-against-ldap-login-csrf-fail' into 'master'

Guard against a login attempt with invalid CSRF token See merge request gitlab-org/gitlab-ce!21934

Merge branch 'sh-guard-against-ldap-login-csrf-fail' into 'master'
Guard against a login attempt with invalid CSRF token See merge request gitlab-org/gitlab-ce!21934
caac73c8 · Rémy Coutable · 98a14fb6 · 027c3264 · caac73c8 · caac73c8
Commit caac73c8 authored Sep 27, 2018 by Rémy Coutable
Showing with 10 additions and 0 deletions

changelogs/unreleased/sh-guard-against-ldap-login-csrf-fail.yml ...logs/unreleased/sh-guard-against-ldap-login-csrf-fail.yml +5 -0

config/initializers/warden.rb config/initializers/warden.rb +5 -0

No files found.
--- a/changelogs/unreleased/sh-guard-against-ldap-login-csrf-fail.yml
+++ b/changelogs/unreleased/sh-guard-against-ldap-login-csrf-fail.yml
+---
+title: Guard against a login attempt with invalid CSRF token
+merge_request: 21934
+author:
+type: fixed
--- a/config/initializers/warden.rb
+++ b/config/initializers/warden.rb
@@ -31,6 +31,11 @@ Rails.application.configure do |config|

  Warden::Manager.before_logout(scope: :user) do |user, auth, opts|
    user ||= auth.user
+
+    # Rails CSRF protection may attempt to log out a user before that
+    # user even logs in
+    next unless user
+
    activity = Gitlab::Auth::Activity.new(opts)
    tracker = Gitlab::Auth::BlockedUserTracker.new(user, auth)