Source: ruby-omniauth Version: 1.2.1-1 Severity: important Tags: security upstream fixed-upstream Forwarded: https://github.com/omniauth/omniauth/pull/867 Control: fixed -1 1.6.1-1
For tracking this security issue in ruby-omniauth: > Request phase of omniauth store request.params in session which are > later assigned in env of callback phase. According do docs we should > only store query params but in this case both GET and POST params get > stored. POST params can contain authenticity_token of application to > protect form CSRF issues. We shouldn't leak such tokens from POST > params. https://github.com/omniauth/omniauth/pull/867 [A CVE has been requested] Regards, Salvatore _______________________________________________ Secure-testing-team mailing list Secure-testing-team@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-team
