Merge pull request #5043 from maestrano/increment-failed-attempts-concurency

Backport CVE-2019-5421 fix to 3.x
Make #increment_failed_attempts concurrency safe
2026-01-12 00:08:34 -05:00 · 2019-03-26 11:33:35 -03:00 · 2019-03-15 09:54:25 +11:00 · 2018-01-09 13:07:35 -05:00 · 2017-12-28 10:56:17 -08:00 · 2016-05-17 10:06:18 -03:00
4 changed files with 17 additions and 6 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -20,18 +20,18 @@
  * Fix the `extend_remember_period` configuration. When set to `false` it does
    not update the cookie expiration anymore.(by @ulissesalmeida)

-### 3.5.6 - 2016-01-02
+### 3.5.6 - 2016-02-01

 * bug fixes
  * Fix type coercion of the rememberable timestamp stored on cookies.

-### 3.5.5 - 2016-22-01
+### 3.5.5 - 2016-01-22

 * bug fixes
  * Bring back remember_expired? implementation
  * Ensure timeouts are not triggered if remember me is being used

-### 3.5.4 - 2016-18-01
+### 3.5.4 - 2016-01-18

 * bug fixes
  * Store creation timestamps on remember cookies
--- a/app/controllers/devise/sessions_controller.rb
+++ b/app/controllers/devise/sessions_controller.rb
@@ -2,7 +2,7 @@ class Devise::SessionsController < DeviseController
  prepend_before_filter :require_no_authentication, only: [:new, :create]
  prepend_before_filter :allow_params_authentication!, only: :create
  prepend_before_filter :verify_signed_out_user, only: :destroy
-  prepend_before_filter only: [:create, :destroy] { request.env["devise.skip_timeout"] = true }
+  prepend_before_filter(only: [:create, :destroy]) { request.env["devise.skip_timeout"] = true }

  # GET /resource/sign_in
  def new
--- a/lib/devise/models/lockable.rb
+++ b/lib/devise/models/lockable.rb
@@ -99,8 +99,8 @@ module Devise
        if super && !access_locked?
          true
        else
-          self.failed_attempts ||= 0
-          self.failed_attempts += 1
+          self.class.increment_counter(:failed_attempts, id)
+          reload
          if attempts_exceeded?
            lock_access! unless access_locked?
          else
--- a/test/models/lockable_test.rb
+++ b/test/models/lockable_test.rb
@@ -37,6 +37,17 @@ class LockableTest < ActiveSupport::TestCase
    end
  end

+  test "should read failed_attempts from database when incrementing" do
+    user = create_user
+    initial_failed_attempts = user.failed_attempts
+    same_user = User.find(user.id)
+
+    user.valid_for_authentication?{ false }
+    same_user.valid_for_authentication?{ false }
+
+    assert_equal initial_failed_attempts + 2, user.reload.failed_attempts
+  end
+
  test 'should be valid for authentication with a unlocked user' do
    user = create_user
    user.lock_access!
Author	SHA1	Message	Date
Leonardo Tegon	fb48336709	Merge pull request #5043 from maestrano/increment-failed-attempts-concurency Backport CVE-2019-5421 fix to 3.x	2019-03-26 11:33:35 -03:00
Olivier Brisse	36690f33a4	Make `#increment_failed_attempts` concurrency safe Backported from https://github.com/plataformatec/devise/pull/4996	2019-03-15 09:54:25 +11:00
Rafael França	bddf051bfb	Merge pull request #4749 from chrisb/3-stable-ruby-2.5 Backport Ruby 2.5.0 syntax fixes to 3-stable	2018-01-09 13:07:35 -05:00
Pat Allan	53957d921b	Fix syntax for MRI 2.5.0-preview1.	2017-12-28 10:56:17 -08:00
Lucas Mazza	a0af72edfd	Merge pull request #4117 from kamipo/patch-1 Fix release date in 3-stable CHANGELOG.md	2016-05-17 10:06:18 -03:00
Ryuta Kamizono	05b87096bd	Fix release date in 3-stable CHANGELOG.md	2016-05-17 21:58:54 +09:00