Commit d1afb845 authored by Rémy Coutable's avatar Rémy Coutable

Merge branch 'fix-shibboleth-auth-with-no-uid' into 'master'

fix shibboleth misconfigurations resulting in authentication bypass

This merge request fixes #22267 where a misconfigured Shibboleth `HTTP_UID` or `HTTP_EPPN` could result in users being logged into an account that did not belong to them.

See merge request !7428
parents 2e1fe59e 067da622
---
title: fix shibboleth misconfigurations resulting in authentication bypass
merge_request: 7428
author:
...@@ -241,6 +241,10 @@ Devise.setup do |config| ...@@ -241,6 +241,10 @@ Devise.setup do |config|
end end
end end
if provider['name'] == 'shibboleth'
provider['args'][:fail_with_empty_uid] = true
end
# A Hash from the configuration will be passed as is. # A Hash from the configuration will be passed as is.
provider_arguments << provider['args'].symbolize_keys provider_arguments << provider['args'].symbolize_keys
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment