summaryrefslogtreecommitdiff
path: root/app
diff options
context:
space:
mode:
authorGitLab Release Tools Bot <robert+release-tools@gitlab.com>2019-10-29 15:58:14 +0000
committerGitLab Release Tools Bot <robert+release-tools@gitlab.com>2019-10-29 15:58:14 +0000
commita7329f4372f4e0bc2c5d9af5b6d30cb4ad94ad7d (patch)
tree9b387d2fc6d0b20efab499bc55c3bbce026da2c8 /app
parenta0043682b500ce39ff4eba00e8c1cecc64819ea1 (diff)
parent8395032721f6d6cb26126a5bffcb42984a240c07 (diff)
downloadgitlab-ce-a7329f4372f4e0bc2c5d9af5b6d30cb4ad94ad7d.tar.gz
Merge branch 'security-remove-leaky-401-responses-master' into 'master'
Private/internal repository enumeration via bruteforce on a vulnerable URL See merge request gitlab/gitlabhq!3454
Diffstat (limited to 'app')
-rw-r--r--app/controllers/application_controller.rb6
1 files changed, 4 insertions, 2 deletions
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index 1443a71f6b1..27e88ae569e 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -16,7 +16,7 @@ class ApplicationController < ActionController::Base
include Gitlab::Tracking::ControllerConcern
include Gitlab::Experimentation::ControllerConcern
- before_action :authenticate_user!
+ before_action :authenticate_user!, except: [:route_not_found]
before_action :enforce_terms!, if: :should_enforce_terms?
before_action :validate_user_service_ticket!
before_action :check_password_expiration
@@ -97,7 +97,9 @@ class ApplicationController < ActionController::Base
if current_user
not_found
else
- authenticate_user!
+ store_location_for(:user, request.fullpath) unless request.xhr?
+
+ redirect_to new_user_session_path, alert: I18n.t('devise.failure.unauthenticated')
end
end