From e0ffa1b8637fc090618d4ac6f0e522ba55a03458 Mon Sep 17 00:00:00 2001
From: Duncan Stuart <dgmstuart@gmail.com>
Date: Sun, 17 Nov 2019 23:35:05 +0100
Subject: [PATCH] Use omniauth-rails_csrf_protection gem

It seems like omniauth-rails is not actually the correct gem:

  https://github.com/omniauth/omniauth-rails/pull/2#issuecomment-529579354

Here's the relevant instructions:

  https://github.com/omniauth/omniauth/wiki/Resolving-CVE-2015-9284
---
 Gemfile      |  2 +-
 Gemfile.lock | 14 ++++----------
 2 files changed, 5 insertions(+), 11 deletions(-)

diff --git a/Gemfile b/Gemfile
index 61291df3..add38958 100644
--- a/Gemfile
+++ b/Gemfile
@@ -18,7 +18,7 @@ gem 'jbuilder'
 gem 'jquery-rails'
 gem 'memcachier'
 gem 'omniauth-facebook'
-gem 'omniauth-rails', git: 'https://github.com/omniauth/omniauth-rails', branch: 'CVE-2015-9284'
+gem 'omniauth-rails_csrf_protection'
 gem 'pg'
 gem 'pry-rails'
 gem 'puma'
diff --git a/Gemfile.lock b/Gemfile.lock
index c453555f..ded48f23 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -1,12 +1,3 @@
-GIT
-  remote: https://github.com/omniauth/omniauth-rails
-  revision: 8ef80e7da0b4b12dd403ba579b0a34dd6efebdae
-  branch: CVE-2015-9284
-  specs:
-    omniauth-rails (1.0.0)
-      omniauth (~> 1.0)
-      rails
-
 GEM
   remote: https://rubygems.org/
   specs:
@@ -192,6 +183,9 @@ GEM
     omniauth-oauth2 (1.5.0)
       oauth2 (~> 1.1)
       omniauth (~> 1.2)
+    omniauth-rails_csrf_protection (0.1.2)
+      actionpack (>= 4.2)
+      omniauth (>= 1.3.1)
     parallel (1.20.1)
     parser (3.0.1.1)
       ast (~> 2.4.1)
@@ -378,7 +372,7 @@ DEPENDENCIES
   memcachier
   oj
   omniauth-facebook
-  omniauth-rails!
+  omniauth-rails_csrf_protection
   pg
   pry-rails
   puma