Release v3.0.4

Release 3.0.3
Release v3.0.2
2026-01-09 15:47:59 -05:00 · 2013-11-13 14:10:16 +01:00 · 2013-08-18 10:26:26 +02:00 · 2013-08-09 10:24:23 +02:00 · 2013-08-08 23:32:18 +02:00 · 2013-08-08 23:32:09 +02:00
14 changed files with 59 additions and 41 deletions
--- a/CHANGELOG.rdoc
+++ b/CHANGELOG.rdoc
@@ -1,5 +1,24 @@
+== 3.0.4
+
+Security announcement: http://blog.plataformatec.com.br/2013/11/e-mail-enumeration-in-devise-in-paranoid-mode
+
+* bug fix
+  * Avoid e-mail enumeration on sign in when in paranoid mode
+
+== 3.0.3
+
+* bug fix
+  * Do not confirm account after reset password
+
+== 3.0.2
+
+* bug fix
+  * Skip storage for cookies on unverified requests
+
 == 3.0.1

+Security announcement: http://blog.plataformatec.com.br/2013/08/csrf-token-fixation-attacks-in-devise/
+
 * enhancements
  * Add after_confirmation callback

--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -12,7 +12,7 @@ GIT
 PATH
  remote: .
  specs:
-    devise (3.0.1)
+    devise (3.0.4)
      bcrypt-ruby (~> 3.0)
      orm_adapter (~> 0.1)
      railties (>= 3.2.6, < 5)
@@ -47,7 +47,7 @@ GEM
      tzinfo (~> 0.3.37)
    arel (4.0.0)
    atomic (1.1.10)
-    bcrypt-ruby (3.1.1)
+    bcrypt-ruby (3.1.2)
    builder (3.1.4)
    erubis (2.7.0)
    faraday (0.8.7)
--- a/gemfiles/Gemfile.rails-3.2.x.lock
+++ b/gemfiles/Gemfile.rails-3.2.x.lock
@@ -1,7 +1,7 @@
 PATH
  remote: ..
  specs:
-    devise (3.0.0)
+    devise (3.0.4)
      bcrypt-ruby (~> 3.0)
      orm_adapter (~> 0.1)
      railties (>= 3.2.6, < 5)
@@ -38,7 +38,7 @@ GEM
      i18n (= 0.6.1)
      multi_json (~> 1.0)
    arel (3.0.2)
-    bcrypt-ruby (3.1.1)
+    bcrypt-ruby (3.1.2)
    builder (3.0.4)
    erubis (2.7.0)
    faraday (0.8.7)
--- a/lib/devise/controllers/rememberable.rb
+++ b/lib/devise/controllers/rememberable.rb
@@ -21,6 +21,7 @@ module Devise

      # Remembers the given resource by setting up a cookie
      def remember_me(resource)
+        return if env["devise.skip_storage"]
        scope = Devise::Mapping.find_scope!(resource)
        resource.remember_me!(resource.extend_remember_period)
        cookies.signed[remember_key(resource, scope)] = remember_cookie_values(resource)
--- a/lib/devise/models/confirmable.rb
+++ b/lib/devise/models/confirmable.rb
@@ -241,11 +241,6 @@ module Devise
          regenerate_confirmation_token && save(:validate => false)
        end

-        def after_password_reset
-          super
-          confirm! unless confirmed?
-        end
-
        def postpone_email_change_until_confirmation_and_regenerate_confirmation_token
          @reconfirmation_required = true
          self.unconfirmed_email = self.email
--- a/lib/devise/rails/warden_compat.rb
+++ b/lib/devise/rails/warden_compat.rb
@@ -3,9 +3,16 @@ module Warden::Mixins::Common
    @request ||= ActionDispatch::Request.new(env)
  end

-  # This is called internally by Warden on logout
+  NULL_STORE =
+    defined?(ActionController::RequestForgeryProtection::ProtectionMethods::NullSession::NullSessionHash) ?
+      ActionController::RequestForgeryProtection::ProtectionMethods::NullSession::NullSessionHash : nil
+
  def reset_session!
-    request.reset_session
+    # Calling reset_session on NULL_STORE causes it fail.
+    # This is a bug that needs to be fixed in Rails.
+    unless NULL_STORE && request.session.is_a?(NULL_STORE)
+      request.reset_session
+    end
  end

  def cookies
--- a/lib/devise/strategies/database_authenticatable.rb
+++ b/lib/devise/strategies/database_authenticatable.rb
@@ -5,13 +5,16 @@ module Devise
    # Default strategy for signing in a user, based on his email and password in the database.
    class DatabaseAuthenticatable < Authenticatable
      def authenticate!
-        resource = valid_password? && mapping.to.find_for_database_authentication(authentication_hash)
-        return fail(:not_found_in_database) unless resource
+        resource  = valid_password? && mapping.to.find_for_database_authentication(authentication_hash)
+        encrypted = false

-        if validate(resource){ resource.valid_password?(password) }
+        if validate(resource){ encrypted = true; resource.valid_password?(password) }
          resource.after_database_authentication
          success!(resource)
        end
+
+        mapping.to.new.password = password if !encrypted && Devise.paranoid
+        fail(:not_found_in_database) unless resource
      end
    end
  end
--- a/lib/devise/version.rb
+++ b/lib/devise/version.rb
@@ -1,3 +1,3 @@
 module Devise
-  VERSION = "3.0.1".freeze
+  VERSION = "3.0.4".freeze
 end
--- a/test/controllers/helpers_test.rb
+++ b/test/controllers/helpers_test.rb
@@ -202,7 +202,7 @@ class ControllerAuthenticatableTest < ActionController::TestCase

  test 'sign in and redirect uses the stored location' do
    user = User.new
-    @controller.session[:"user_return_to"] = "/foo.bar"
+    @controller.session[:user_return_to] = "/foo.bar"
    @mock_warden.expects(:user).with(:user).returns(nil)
    @mock_warden.expects(:set_user).with(user, :scope => :user).returns(true)
    @controller.expects(:redirect_to).with("/foo.bar")
--- a/test/controllers/passwords_controller_test.rb
+++ b/test/controllers/passwords_controller_test.rb
@@ -7,7 +7,7 @@ class PasswordsControllerTest < ActionController::TestCase
  def setup
    request.env["devise.mapping"] = Devise.mappings[:user]

-    @user = create_user
+    @user = create_user.tap(&:confirm!)
    @user.send_reset_password_instructions
  end

--- a/test/integration/authenticatable_test.rb
+++ b/test/integration/authenticatable_test.rb
@@ -433,7 +433,7 @@ end

 class AuthenticationOthersTest < ActionDispatch::IntegrationTest
  test 'handles unverified requests gets rid of caches' do
-    swap UsersController, :allow_forgery_protection => true do
+    swap ApplicationController, :allow_forgery_protection => true do
      post exhibit_user_url(1)
      assert_not warden.authenticated?(:user)

--- a/test/integration/http_authenticatable_test.rb
+++ b/test/integration/http_authenticatable_test.rb
@@ -2,7 +2,7 @@ require 'test_helper'

 class HttpAuthenticationTest < ActionDispatch::IntegrationTest
  test 'handles unverified requests gets rid of caches but continues signed in' do
-    swap UsersController, :allow_forgery_protection => true do
+    swap ApplicationController, :allow_forgery_protection => true do
      create_user
      post exhibit_user_url(1), {}, "HTTP_AUTHORIZATION" => "Basic #{Base64.encode64("user@test.com:12345678")}"
      assert warden.authenticated?(:user)
--- a/test/integration/recoverable_test.rb
+++ b/test/integration/recoverable_test.rb
@@ -230,15 +230,6 @@ class PasswordTest < ActionDispatch::IntegrationTest
    end
  end

-  test 'sign in user automatically and confirm after changing its password if it\'s not confirmed' do
-    user = create_user(:confirm => false)
-    request_forgot_password
-    reset_password :reset_password_token => user.reload.reset_password_token
-
-    assert warden.authenticated?(:user)
-    assert user.reload.confirmed?
-  end
-
  test 'reset password request with valid E-Mail in XML format should return valid response' do
    create_user
    post user_password_path(:format => 'xml'), :user => {:email => "user@test.com"}
--- a/test/integration/rememberable_test.rb
+++ b/test/integration/rememberable_test.rb
@@ -30,8 +30,8 @@ class RememberMeTest < ActionDispatch::IntegrationTest
    assert_nil request.cookies["remember_user_cookie"]
  end

-  test 'handles unverified requests gets rid of caches' do
-    swap UsersController, :allow_forgery_protection => true do
+  test 'handle unverified requests gets rid of caches' do
+    swap ApplicationController, :allow_forgery_protection => true do
      post exhibit_user_url(1)
      assert_not warden.authenticated?(:user)

@@ -42,9 +42,21 @@ class RememberMeTest < ActionDispatch::IntegrationTest
    end
  end

+  test 'handle unverified requests does not create cookies on sign in' do
+    swap ApplicationController, :allow_forgery_protection => true do
+      get new_user_session_path
+      assert request.session[:_csrf_token]
+
+      post user_session_path, :authenticity_token => "oops", :user =>
+           { email: "jose.valim@gmail.com", password: "123456", :remember_me => "1" }
+      assert_not warden.authenticated?(:user)
+      assert_not request.cookies['remember_user_token']
+    end
+  end
+
  test 'generate remember token after sign in' do
    sign_in_as_user :remember_me => true
-    assert request.cookies["remember_user_token"]
+    assert request.cookies['remember_user_token']
  end

  test 'generate remember token after sign in setting cookie options' do
@@ -90,16 +102,6 @@ class RememberMeTest < ActionDispatch::IntegrationTest
    assert_redirected_to root_path
  end

-  test 'cookies are destroyed on unverified requests' do
-    swap ApplicationController, :allow_forgery_protection => true do
-      create_user_and_remember
-      get users_path
-      assert warden.authenticated?(:user)
-      post root_path, :authenticity_token => 'INVALID'
-      assert_not warden.authenticated?(:user)
-    end
-  end
-
  test 'does not extend remember period through sign in' do
    swap Devise, :extend_remember_period => true, :remember_for => 1.year do
      user = create_user
Author	SHA1	Message	Date
José Valim	d401147f68	Release v3.0.4	2013-11-13 14:10:16 +01:00
José Valim	d559a32646	Release 3.0.3	2013-08-18 10:26:26 +02:00
José Valim	6b95b96547	Release v3.0.2	2013-08-09 10:24:23 +02:00
José Valim	df8e6cf225	Skip storage for cookies on unverified requests	2013-08-08 23:32:18 +02:00
José Valim	cf87cd0742	Update OTHER lock	2013-08-08 23:32:09 +02:00