Release v3.0.4

2026-01-07 23:03:58 -05:00 · 2013-11-13 14:10:16 +01:00
parent d559a32646
commit d401147f68
5 changed files with 18 additions and 8 deletions
--- a/CHANGELOG.rdoc
+++ b/CHANGELOG.rdoc
@@ -1,3 +1,10 @@
+== 3.0.4
+
+Security announcement: http://blog.plataformatec.com.br/2013/11/e-mail-enumeration-in-devise-in-paranoid-mode
+
+* bug fix
+  * Avoid e-mail enumeration on sign in when in paranoid mode
+
 == 3.0.3

 * bug fix
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -12,7 +12,7 @@ GIT
 PATH
  remote: .
  specs:
-    devise (3.0.3)
+    devise (3.0.4)
      bcrypt-ruby (~> 3.0)
      orm_adapter (~> 0.1)
      railties (>= 3.2.6, < 5)
@@ -47,7 +47,7 @@ GEM
      tzinfo (~> 0.3.37)
    arel (4.0.0)
    atomic (1.1.10)
-    bcrypt-ruby (3.1.1)
+    bcrypt-ruby (3.1.2)
    builder (3.1.4)
    erubis (2.7.0)
    faraday (0.8.7)
--- a/gemfiles/Gemfile.rails-3.2.x.lock
+++ b/gemfiles/Gemfile.rails-3.2.x.lock
@@ -1,7 +1,7 @@
 PATH
  remote: ..
  specs:
-    devise (3.0.3)
+    devise (3.0.4)
      bcrypt-ruby (~> 3.0)
      orm_adapter (~> 0.1)
      railties (>= 3.2.6, < 5)
@@ -38,7 +38,7 @@ GEM
      i18n (= 0.6.1)
      multi_json (~> 1.0)
    arel (3.0.2)
-    bcrypt-ruby (3.1.1)
+    bcrypt-ruby (3.1.2)
    builder (3.0.4)
    erubis (2.7.0)
    faraday (0.8.7)
--- a/lib/devise/strategies/database_authenticatable.rb
+++ b/lib/devise/strategies/database_authenticatable.rb
@@ -5,13 +5,16 @@ module Devise
    # Default strategy for signing in a user, based on his email and password in the database.
    class DatabaseAuthenticatable < Authenticatable
      def authenticate!
-        resource = valid_password? && mapping.to.find_for_database_authentication(authentication_hash)
-        return fail(:not_found_in_database) unless resource
+        resource  = valid_password? && mapping.to.find_for_database_authentication(authentication_hash)
+        encrypted = false

-        if validate(resource){ resource.valid_password?(password) }
+        if validate(resource){ encrypted = true; resource.valid_password?(password) }
          resource.after_database_authentication
          success!(resource)
        end
+
+        mapping.to.new.password = password if !encrypted && Devise.paranoid
+        fail(:not_found_in_database) unless resource
      end
    end
  end
--- a/lib/devise/version.rb
+++ b/lib/devise/version.rb
@@ -1,3 +1,3 @@
 module Devise
-  VERSION = "3.0.3".freeze
+  VERSION = "3.0.4".freeze
 end