Protect OmniAuth request phase against CSRF.

author: Douwe Maan <douwe@gitlab.com> 2015-04-24 17:03:18 +0200
committer: Douwe Maan <douwe@gitlab.com> 2015-04-24 17:03:18 +0200
commit: 571ba5a7feb870b7aa711d5a6fc6d4d53d92a4c5 (patch)
tree: 817cd5b54a81a1a229be4b42e7643ad90f5040e1 /config
parent: 62117f2f25646009fb5b20d7a215d7d697ce3231 (diff)
download: gitlab-ce-571ba5a7feb870b7aa711d5a6fc6d4d53d92a4c5.tar.gz
1 files changed, 5 insertions, 0 deletions
diff --git a/config/initializers/7_omniauth.rb b/config/initializers/7_omniauth.rb
index 8f6c5673103..103aa06ca32 100644
--- a/config/initializers/7_omniauth.rb
+++ b/config/initializers/7_omniauth.rb
@@ -10,3 +10,8 @@ if Gitlab::LDAP::Config.enabled?
     alias_method server['provider_name'], :ldap
   end
 end
+
+OmniAuth.config.allowed_request_methods = [:post]
+OmniAuth.config.before_request_phase do |env|
+  OmniAuth::RequestForgeryProtection.new(env).call
+end
author	Douwe Maan <douwe@gitlab.com>	2015-04-24 17:03:18 +0200
committer	Douwe Maan <douwe@gitlab.com>	2015-04-24 17:03:18 +0200
commit	571ba5a7feb870b7aa711d5a6fc6d4d53d92a4c5 (patch)
tree	817cd5b54a81a1a229be4b42e7643ad90f5040e1 /config
parent	62117f2f25646009fb5b20d7a215d7d697ce3231 (diff)
download	gitlab-ce-571ba5a7feb870b7aa711d5a6fc6d4d53d92a4c5.tar.gz