devise 5.0.2 → 5.0.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (6) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +6 -0
  3. data/lib/devise/models/confirmable.rb +3 -1
  4. data/lib/devise/orm.rb +11 -0
  5. data/lib/devise/version.rb +1 -1
  6. metadata +1 -1
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 4cffe2aa12ff3240ea7c769cce8f54514bcbf3b7937e3cae3e530fa38c504610
4
- data.tar.gz: 47999dcc6dbe990d3c809b35fa138b071f5b2fa0411600093a9b4926c32567a8
3
+ metadata.gz: 40065ae1fdb8a0bdf390bf5c3624b9f68a89ac6dbb21131749d8833325248215
4
+ data.tar.gz: 432727f7b82b0725c6cfb9fd7776b3ea0fc8d892abd3b44afe3c3753cac3dc6c
5
5
  SHA512:
6
- metadata.gz: 7f40111655bc0aee66e0d02c29af7113053aa98f5c33445cccb7dbc1f8a5132ace75a2be82e9302264dfc0de579f835330eb65cf55e4d29ea4a0b4a30326ac40
7
- data.tar.gz: 99e6e990cefbbdce6a851c1da5249d9ec04a7e24be193ba674052809112da1de6867ed0930f27342c80867974532aceb77fa05b28f45aebd7338d015bb168e4e
6
+ metadata.gz: d52c4ee3175dd5c570b396b8391a6c673d33d9d073853142ddbe92399dde2cb94aca45778998fe8f959c503134994d459a00325c0fb0d53e7471e3f0093f37e2
7
+ data.tar.gz: 49b47ef522f849a98e8a181aea7b3fb84796ec2094d015c30ac0593846570d8accb319d1e4f9e5a1c1c4139f88bf005e8435668e21e105cd6d0c6f0f6ca5af2f
data/CHANGELOG.md CHANGED
@@ -1,7 +1,13 @@
1
+ ### 5.0.3 - 2026-03-16
2
+
3
+ * security fixes
4
+ * Fix race condition vulnerability on confirmable "change email" which would allow confirming an email they don't own CVE-2026-32700 [#5783](https://github.com/heartcombo/devise/pull/5783) [#5784](https://github.com/heartcombo/devise/pull/5784)
5
+
1
6
  ### 5.0.2 - 2026-02-18
2
7
 
3
8
  * enhancements
4
9
  * Allow resource class scopes to override the global configuration for `sign_in_after_change_password` behaviour. [#5825](https://github.com/heartcombo/devise/pull/5825)
10
+ * _Note_: some users ran into an issue with this change because `RegistrationsController` now relies on a setting from the `:registerable` module. These users were configuring their own routes pointing to the `RegistrationsController` for resource edit/update actions mostly, without relying on the other registration actions (e.g. user sign up.), so they omitted `:registerable` from the model declaration. While using just a portion of the controller functionality is a valid use for `:registerable` (or any module really), the module must still be declared in the model, much like the other modules must be declared if you plan on using just a portion of their behavior. Please check [this issue](https://github.com/heartcombo/devise/pull/5828#issuecomment-3926822788) for more info.
5
11
  * Add `sign_in_after_reset_password?` check hook to passwords controller, to allow it to be customized by users. [#5826](https://github.com/heartcombo/devise/pull/5826)
6
12
 
7
13
  ### 5.0.1 - 2026-02-13
data/lib/devise/models/confirmable.rb CHANGED
@@ -258,9 +258,11 @@ module Devise
258
258
  generate_confirmation_token && save(validate: false)
259
259
  end
260
260
 
261
-
262
261
  def postpone_email_change_until_confirmation_and_regenerate_confirmation_token
263
262
  @reconfirmation_required = true
263
+ # Force unconfirmed_email to be updated, even if the value hasn't changed, to prevent a
264
+ # race condition which could allow an attacker to confirm an email they don't own. See #5783.
265
+ devise_unconfirmed_email_will_change!
264
266
  self.unconfirmed_email = self.email
265
267
  self.email = self.devise_email_in_database
266
268
  self.confirmation_token = nil
data/lib/devise/orm.rb CHANGED
@@ -35,6 +35,10 @@ module Devise
35
35
  will_save_change_to_email?
36
36
  end
37
37
 
38
+ def devise_unconfirmed_email_will_change!
39
+ unconfirmed_email_will_change!
40
+ end
41
+
38
42
  def devise_respond_to_and_will_save_change_to_attribute?(attribute)
39
43
  respond_to?("will_save_change_to_#{attribute}?") && send("will_save_change_to_#{attribute}?")
40
44
  end
@@ -61,6 +65,13 @@ module Devise
61
65
  email_changed?
62
66
  end
63
67
 
68
+ def devise_unconfirmed_email_will_change!
69
+ # Mongoid's will_change! doesn't force unchanged attributes into updates,
70
+ # so we override changed_attributes to make it see a difference.
71
+ unconfirmed_email_will_change!
72
+ changed_attributes["unconfirmed_email"] = nil
73
+ end
74
+
64
75
  def devise_respond_to_and_will_save_change_to_attribute?(attribute)
65
76
  respond_to?("#{attribute}_changed?") && send("#{attribute}_changed?")
66
77
  end
data/lib/devise/version.rb CHANGED
@@ -1,5 +1,5 @@
1
1
  # frozen_string_literal: true
2
2
 
3
3
  module Devise
4
- VERSION = "5.0.2".freeze
4
+ VERSION = "5.0.3".freeze
5
5
  end
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: devise
3
3
  version: !ruby/object:Gem::Version
4
- version: 5.0.2
4
+ version: 5.0.3
5
5
  platform: ruby
6
6
  authors:
7
7
  - José Valim