github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-05-22 22:43:33 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

SECURITY: Attach DiscourseConnect (SSO) nonce to current session (#12124)

Browse Source
This commit is contained in:
David Taylor
2021-02-18 10:35:10 +00:00
committed by GitHub
parent 2f4630742c
commit 13d2a1f82c
8 changed files with 74 additions and 41 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
app/controllers/admin/users_controller.rb
View File

@ -442,7 +442,7 @@ class Admin::UsersController < Admin::AdminController
return render body: nil, status: 404 unless SiteSetting.enable_discourse_connect
begin
sso = DiscourseSingleSignOn.parse("sso=#{params[:sso]}&sig=#{params[:sig]}")
sso = DiscourseSingleSignOn.parse("sso=#{params[:sso]}&sig=#{params[:sig]}", secure_session: secure_session)
rescue DiscourseSingleSignOn::ParseError => e
return render json: failed_json.merge(message: I18n.t("discourse_connect.login_error")), status: 422
end