devise 3.0.1 → 3.0.2

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of devise might be problematic. Click here for more details.

@@ -1,5 +1,12 @@
1
+ == 3.0.2
2
+
3
+ * bug fix
4
+ * Skip storage for cookies on unverified requests
5
+
1
6
  == 3.0.1
2
7
 
8
+ Security announcement: http://blog.plataformatec.com.br/2013/08/csrf-token-fixation-attacks-in-devise/
9
+
3
10
  * enhancements
4
11
  * Add after_confirmation callback
5
12
 
@@ -12,7 +12,7 @@ GIT
12
12
  PATH
13
13
  remote: .
14
14
  specs:
15
- devise (3.0.0)
15
+ devise (3.0.2)
16
16
  bcrypt-ruby (~> 3.0)
17
17
  orm_adapter (~> 0.1)
18
18
  railties (>= 3.2.6, < 5)
@@ -1,7 +1,7 @@
1
1
  PATH
2
2
  remote: ..
3
3
  specs:
4
- devise (3.0.0)
4
+ devise (3.0.2)
5
5
  bcrypt-ruby (~> 3.0)
6
6
  orm_adapter (~> 0.1)
7
7
  railties (>= 3.2.6, < 5)
@@ -21,6 +21,7 @@ module Devise
21
21
 
22
22
  # Remembers the given resource by setting up a cookie
23
23
  def remember_me(resource)
24
+ return if env["devise.skip_storage"]
24
25
  scope = Devise::Mapping.find_scope!(resource)
25
26
  resource.remember_me!(resource.extend_remember_period)
26
27
  cookies.signed[remember_key(resource, scope)] = remember_cookie_values(resource)
@@ -3,9 +3,16 @@ module Warden::Mixins::Common
3
3
  @request ||= ActionDispatch::Request.new(env)
4
4
  end
5
5
 
6
- # This is called internally by Warden on logout
6
+ NULL_STORE =
7
+ defined?(ActionController::RequestForgeryProtection::ProtectionMethods::NullSession::NullSessionHash) ?
8
+ ActionController::RequestForgeryProtection::ProtectionMethods::NullSession::NullSessionHash : nil
9
+
7
10
  def reset_session!
8
- request.reset_session
11
+ # Calling reset_session on NULL_STORE causes it fail.
12
+ # This is a bug that needs to be fixed in Rails.
13
+ unless NULL_STORE && request.session.is_a?(NULL_STORE)
14
+ request.reset_session
15
+ end
9
16
  end
10
17
 
11
18
  def cookies
@@ -1,3 +1,3 @@
1
1
  module Devise
2
- VERSION = "3.0.1".freeze
2
+ VERSION = "3.0.2".freeze
3
3
  end
@@ -202,7 +202,7 @@ class ControllerAuthenticatableTest < ActionController::TestCase
202
202
 
203
203
  test 'sign in and redirect uses the stored location' do
204
204
  user = User.new
205
- @controller.session[:"user_return_to"] = "/foo.bar"
205
+ @controller.session[:user_return_to] = "/foo.bar"
206
206
  @mock_warden.expects(:user).with(:user).returns(nil)
207
207
  @mock_warden.expects(:set_user).with(user, :scope => :user).returns(true)
208
208
  @controller.expects(:redirect_to).with("/foo.bar")
@@ -433,7 +433,7 @@ end
433
433
 
434
434
  class AuthenticationOthersTest < ActionDispatch::IntegrationTest
435
435
  test 'handles unverified requests gets rid of caches' do
436
- swap UsersController, :allow_forgery_protection => true do
436
+ swap ApplicationController, :allow_forgery_protection => true do
437
437
  post exhibit_user_url(1)
438
438
  assert_not warden.authenticated?(:user)
439
439
 
@@ -2,7 +2,7 @@ require 'test_helper'
2
2
 
3
3
  class HttpAuthenticationTest < ActionDispatch::IntegrationTest
4
4
  test 'handles unverified requests gets rid of caches but continues signed in' do
5
- swap UsersController, :allow_forgery_protection => true do
5
+ swap ApplicationController, :allow_forgery_protection => true do
6
6
  create_user
7
7
  post exhibit_user_url(1), {}, "HTTP_AUTHORIZATION" => "Basic #{Base64.encode64("user@test.com:12345678")}"
8
8
  assert warden.authenticated?(:user)
@@ -30,8 +30,8 @@ class RememberMeTest < ActionDispatch::IntegrationTest
30
30
  assert_nil request.cookies["remember_user_cookie"]
31
31
  end
32
32
 
33
- test 'handles unverified requests gets rid of caches' do
34
- swap UsersController, :allow_forgery_protection => true do
33
+ test 'handle unverified requests gets rid of caches' do
34
+ swap ApplicationController, :allow_forgery_protection => true do
35
35
  post exhibit_user_url(1)
36
36
  assert_not warden.authenticated?(:user)
37
37
 
@@ -42,9 +42,21 @@ class RememberMeTest < ActionDispatch::IntegrationTest
42
42
  end
43
43
  end
44
44
 
45
+ test 'handle unverified requests does not create cookies on sign in' do
46
+ swap ApplicationController, :allow_forgery_protection => true do
47
+ get new_user_session_path
48
+ assert request.session[:_csrf_token]
49
+
50
+ post user_session_path, :authenticity_token => "oops", :user =>
51
+ { email: "jose.valim@gmail.com", password: "123456", :remember_me => "1" }
52
+ assert_not warden.authenticated?(:user)
53
+ assert_not request.cookies['remember_user_token']
54
+ end
55
+ end
56
+
45
57
  test 'generate remember token after sign in' do
46
58
  sign_in_as_user :remember_me => true
47
- assert request.cookies["remember_user_token"]
59
+ assert request.cookies['remember_user_token']
48
60
  end
49
61
 
50
62
  test 'generate remember token after sign in setting cookie options' do
@@ -90,16 +102,6 @@ class RememberMeTest < ActionDispatch::IntegrationTest
90
102
  assert_redirected_to root_path
91
103
  end
92
104
 
93
- test 'cookies are destroyed on unverified requests' do
94
- swap ApplicationController, :allow_forgery_protection => true do
95
- create_user_and_remember
96
- get users_path
97
- assert warden.authenticated?(:user)
98
- post root_path, :authenticity_token => 'INVALID'
99
- assert_not warden.authenticated?(:user)
100
- end
101
- end
102
-
103
105
  test 'does not extend remember period through sign in' do
104
106
  swap Devise, :extend_remember_period => true, :remember_for => 1.year do
105
107
  user = create_user
metadata CHANGED
@@ -1,8 +1,8 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: devise
3
3
  version: !ruby/object:Gem::Version
4
+ version: 3.0.2
4
5
  prerelease:
5
- version: 3.0.1
6
6
  platform: ruby
7
7
  authors:
8
8
  - José Valim
@@ -10,58 +10,60 @@ authors:
10
10
  autorequire:
11
11
  bindir: bin
12
12
  cert_chain: []
13
- date: 2013-08-02 00:00:00.000000000 Z
13
+ date: 2013-08-09 00:00:00.000000000 Z
14
14
  dependencies:
15
15
  - !ruby/object:Gem::Dependency
16
- version_requirements: !ruby/object:Gem::Requirement
16
+ name: warden
17
+ requirement: !ruby/object:Gem::Requirement
18
+ none: false
17
19
  requirements:
18
20
  - - ~>
19
21
  - !ruby/object:Gem::Version
20
22
  version: 1.2.3
21
- none: false
22
- name: warden
23
23
  type: :runtime
24
24
  prerelease: false
25
- requirement: !ruby/object:Gem::Requirement
25
+ version_requirements: !ruby/object:Gem::Requirement
26
+ none: false
26
27
  requirements:
27
28
  - - ~>
28
29
  - !ruby/object:Gem::Version
29
30
  version: 1.2.3
30
- none: false
31
31
  - !ruby/object:Gem::Dependency
32
- version_requirements: !ruby/object:Gem::Requirement
32
+ name: orm_adapter
33
+ requirement: !ruby/object:Gem::Requirement
34
+ none: false
33
35
  requirements:
34
36
  - - ~>
35
37
  - !ruby/object:Gem::Version
36
38
  version: '0.1'
37
- none: false
38
- name: orm_adapter
39
39
  type: :runtime
40
40
  prerelease: false
41
- requirement: !ruby/object:Gem::Requirement
41
+ version_requirements: !ruby/object:Gem::Requirement
42
+ none: false
42
43
  requirements:
43
44
  - - ~>
44
45
  - !ruby/object:Gem::Version
45
46
  version: '0.1'
46
- none: false
47
47
  - !ruby/object:Gem::Dependency
48
- version_requirements: !ruby/object:Gem::Requirement
48
+ name: bcrypt-ruby
49
+ requirement: !ruby/object:Gem::Requirement
50
+ none: false
49
51
  requirements:
50
52
  - - ~>
51
53
  - !ruby/object:Gem::Version
52
54
  version: '3.0'
53
- none: false
54
- name: bcrypt-ruby
55
55
  type: :runtime
56
56
  prerelease: false
57
- requirement: !ruby/object:Gem::Requirement
57
+ version_requirements: !ruby/object:Gem::Requirement
58
+ none: false
58
59
  requirements:
59
60
  - - ~>
60
61
  - !ruby/object:Gem::Version
61
62
  version: '3.0'
62
- none: false
63
63
  - !ruby/object:Gem::Dependency
64
- version_requirements: !ruby/object:Gem::Requirement
64
+ name: railties
65
+ requirement: !ruby/object:Gem::Requirement
66
+ none: false
65
67
  requirements:
66
68
  - - ! '>='
67
69
  - !ruby/object:Gem::Version
@@ -69,11 +71,10 @@ dependencies:
69
71
  - - <
70
72
  - !ruby/object:Gem::Version
71
73
  version: '5'
72
- none: false
73
- name: railties
74
74
  type: :runtime
75
75
  prerelease: false
76
- requirement: !ruby/object:Gem::Requirement
76
+ version_requirements: !ruby/object:Gem::Requirement
77
+ none: false
77
78
  requirements:
78
79
  - - ! '>='
79
80
  - !ruby/object:Gem::Version
@@ -81,7 +82,6 @@ dependencies:
81
82
  - - <
82
83
  - !ruby/object:Gem::Version
83
84
  version: '5'
84
- none: false
85
85
  description: Flexible authentication solution for Rails with Warden
86
86
  email: contact@plataformatec.com.br
87
87
  executables: []
@@ -313,17 +313,17 @@ rdoc_options: []
313
313
  require_paths:
314
314
  - lib
315
315
  required_ruby_version: !ruby/object:Gem::Requirement
316
+ none: false
316
317
  requirements:
317
318
  - - ! '>='
318
319
  - !ruby/object:Gem::Version
319
320
  version: '0'
320
- none: false
321
321
  required_rubygems_version: !ruby/object:Gem::Requirement
322
+ none: false
322
323
  requirements:
323
324
  - - ! '>='
324
325
  - !ruby/object:Gem::Version
325
326
  version: '0'
326
- none: false
327
327
  requirements: []
328
328
  rubyforge_project: devise
329
329
  rubygems_version: 1.8.23
@@ -444,4 +444,3 @@ test_files:
444
444
  - test/test_helper.rb
445
445
  - test/test_helpers_test.rb
446
446
  - test/test_models.rb
447
- has_rdoc: