Clarifying Devise's OmniAuth integration regarding CSRF #5283
Comments
|
@richardonrails hey, thanks for the issue here. I believe this was closed by #5327. Generally speaking, the only thing that changed on Devise was to enforce the links on the shared partial use POST instead of GET, which is something people could already do in their Apps if they had copied the shared links and/or have their own links to start the OmiAuth flow. Our routes currently accept both GET & POST at the moment, and I'll be looking into that if anything needs to change as well as part of the OmniAuth upgrade. My plan is to only enable POST if that's what OmniAuth is configured with, but otherwise nothing else should need to change. That being said, I think the overall issue comes from OmniAuth and not Devise itself, so I don't think we need to go down the path of a security issue / CVE / etc, we just need to provide guidance where we can to allow people to upgrade if they're using OmniAuth. I added as much info to the changelog as I could about the change, pointing to OmniAuth upgrade information. The wiki was also updated accordingly. Please note that this is still on master and not a released version, I am hoping to release a new version in the coming weeks with that and a few other things. Let me know if you have any questions, thanks again. |
In OmniAuth's README it says:
That wiki (https://github.com/omniauth/omniauth/wiki/Resolving-CVE-2015-9284) points out several things that need to be done to avoid this security vulnerability.
Does devise handle those?
If so it would be helpful to mention that in the README or Devise Omniauth wiki so that users don't need to worry.
If not it would be helpful to mention that in the README or Devise Omniauth wiki so users are advised to take the precautions mentioned in the wiki.
The text was updated successfully, but these errors were encountered: