[DRE-maint] Bug#888523: ruby-omniauth: security issue in returning post parameters from session in callback phase
Salvatore Bonaccorso
carnil at debian.org
Fri Jan 26 17:58:22 UTC 2018
Source: ruby-omniauth
Version: 1.2.1-1
Severity: important
Tags: security upstream fixed-upstream
Forwarded: https://github.com/omniauth/omniauth/pull/867
Control: fixed -1 1.6.1-1
For tracking this security issue in ruby-omniauth:
> Request phase of omniauth store request.params in session which are
> later assigned in env of callback phase. According do docs we should
> only store query params but in this case both GET and POST params get
> stored. POST params can contain authenticity_token of application to
> protect form CSRF issues. We shouldn't leak such tokens from POST
> params.
https://github.com/omniauth/omniauth/pull/867
[A CVE has been requested]
Regards,
Salvatore
More information about the Pkg-ruby-extras-maintainers
mailing list