Fix CVE-2015-9284 (#5284)

* Fix CVE-2015-9284

* Update CHANGELOG

CHANGELOG.md

@@ -41,6 +41,7 @@
 - **decidim-proposals**: Fix proposals accepted stat when they include hidden proposals [#5276](https://github.com/decidim/decidim/pull/5276)
 - **decidim-forms**: Fix adding answer options to a new form [#5275](https://github.com/decidim/decidim/pull/5275)
 - **decidim-core**: Add missing locales when creating a new user group [#5262](https://github.com/decidim/decidim/pull/5262)
+- **decidim-core**: Fix CVE-2015-9284 Omniauth issue [#5284](https://github.com/decidim/decidim/pull/5284)
 
 
 **Removed**:

Gemfile.lock

@@ -96,6 +96,7 @@ PATH
       omniauth (~> 1.9)
       omniauth-facebook (~> 5.0)
       omniauth-google-oauth2 (~> 0.7)
+      omniauth-rails_csrf_protection (~> 0.1)
       omniauth-twitter (~> 1.4)
       paper_trail (~> 10.3)
       pg (~> 1.1.4, < 2)
@@ -520,6 +521,9 @@ GEM
     omniauth-oauth2 (1.6.0)
       oauth2 (~> 1.1)
       omniauth (~> 1.9)
+    omniauth-rails_csrf_protection (0.1.2)
+      actionpack (>= 4.2)
+      omniauth (>= 1.3.1)
     omniauth-twitter (1.4.0)
       omniauth-oauth (~> 1.1)
       rack
@@ -533,20 +537,20 @@ GEM
     parser (2.6.3.0)
       ast (~> 2.4.0)
     pg (1.1.4)
-    pg_search (2.2.0)
+    pg_search (2.3.0)
       activerecord (>= 4.2)
       activesupport (>= 4.2)
     premailer (1.11.1)
       addressable
       css_parser (>= 1.6.0)
       htmlentities (>= 4.0.0)
-    premailer-rails (1.10.2)
-      actionmailer (>= 3, < 6)
+    premailer-rails (1.10.3)
+      actionmailer (>= 3)
       premailer (~> 1.7, >= 1.7.9)
     public_suffix (3.1.0)
     puma (3.12.1)
     rack (2.0.7)
-    rack-attack (6.0.0)
+    rack-attack (6.1.0)
       rack (>= 1.0, < 3)
     rack-cors (1.0.3)
     rack-test (1.1.0)

decidim-core/app/views/decidim/devise/shared/_omniauth_buttons.html.erb

@@ -4,7 +4,7 @@
       <%- Decidim::User.omniauth_providers.each do |provider| %>
         <% if social_provider_enabled? provider %>
           <div class="social-register">
-            <%= link_to decidim.send("user_#{provider}_omniauth_authorize_path"), class: "button button--social button--#{normalize_provider_name(provider)}" do %>
+            <%= link_to decidim.send("user_#{provider}_omniauth_authorize_path"), class: "button button--social button--#{normalize_provider_name(provider)}", method: :post do %>
               <span class="button--social__icon">
                 <%= oauth_icon provider %>
               </span>

decidim-core/app/views/decidim/devise/shared/_omniauth_buttons_mini.html.erb

@@ -7,7 +7,7 @@
       <div class="text-center">
         <%- Decidim::User.omniauth_providers.each do |provider| %>
           <% if social_provider_enabled? provider %>
-            <%= link_to decidim.send("user_#{provider}_omniauth_authorize_path"), class: "button button--social button--#{normalize_provider_name(provider)} button--social--mini" do %>
+            <%= link_to decidim.send("user_#{provider}_omniauth_authorize_path"), class: "button button--social button--#{normalize_provider_name(provider)} button--social--mini", method: :post do %>
               <span class="button--social__icon">
                 <%= oauth_icon provider %>
               </span>

decidim-core/decidim-core.gemspec

@@ -46,6 +46,7 @@ Gem::Specification.new do |s|
   s.add_dependency "omniauth", "~> 1.9"
   s.add_dependency "omniauth-facebook", "~> 5.0"
   s.add_dependency "omniauth-google-oauth2", "~> 0.7"
+  s.add_dependency "omniauth-rails_csrf_protection", "~> 0.1"
   s.add_dependency "omniauth-twitter", "~> 1.4"
   s.add_dependency "paper_trail", "~> 10.3"
   s.add_dependency "pg", "~> 1.1.4", "< 2"

decidim-generators/Gemfile.lock

@@ -91,6 +91,7 @@ PATH
       omniauth (~> 1.9)
       omniauth-facebook (~> 5.0)
       omniauth-google-oauth2 (~> 0.7)
+      omniauth-rails_csrf_protection (~> 0.1)
       omniauth-twitter (~> 1.4)
       paper_trail (~> 10.3)
       pg (~> 1.1.4, < 2)
@@ -515,6 +516,9 @@ GEM
     omniauth-oauth2 (1.6.0)
       oauth2 (~> 1.1)
       omniauth (~> 1.9)
+    omniauth-rails_csrf_protection (0.1.2)
+      actionpack (>= 4.2)
+      omniauth (>= 1.3.1)
     omniauth-twitter (1.4.0)
       omniauth-oauth (~> 1.1)
       rack
@@ -528,15 +532,15 @@ GEM
     parser (2.6.3.0)
       ast (~> 2.4.0)
     pg (1.1.4)
-    pg_search (2.2.0)
+    pg_search (2.3.0)
       activerecord (>= 4.2)
       activesupport (>= 4.2)
     premailer (1.11.1)
       addressable
       css_parser (>= 1.6.0)
       htmlentities (>= 4.0.0)
-    premailer-rails (1.10.2)
-      actionmailer (>= 3, < 6)
+    premailer-rails (1.10.3)
+      actionmailer (>= 3)
       premailer (~> 1.7, >= 1.7.9)
     public_suffix (3.1.0)
     puma (3.12.1)

decidim_app-design/Gemfile.lock

@@ -96,6 +96,7 @@ PATH
       omniauth (~> 1.9)
       omniauth-facebook (~> 5.0)
       omniauth-google-oauth2 (~> 0.7)
+      omniauth-rails_csrf_protection (~> 0.1)
       omniauth-twitter (~> 1.4)
       paper_trail (~> 10.3)
       pg (~> 1.1.4, < 2)
@@ -520,6 +521,9 @@ GEM
     omniauth-oauth2 (1.6.0)
       oauth2 (~> 1.1)
       omniauth (~> 1.9)
+    omniauth-rails_csrf_protection (0.1.2)
+      actionpack (>= 4.2)
+      omniauth (>= 1.3.1)
     omniauth-twitter (1.4.0)
       omniauth-oauth (~> 1.1)
       rack
@@ -533,15 +537,15 @@ GEM
     parser (2.6.3.0)
       ast (~> 2.4.0)
     pg (1.1.4)
-    pg_search (2.2.0)
+    pg_search (2.3.0)
       activerecord (>= 4.2)
       activesupport (>= 4.2)
     premailer (1.11.1)
       addressable
       css_parser (>= 1.6.0)
       htmlentities (>= 4.0.0)
-    premailer-rails (1.10.2)
-      actionmailer (>= 3, < 6)
+    premailer-rails (1.10.3)
+      actionmailer (>= 3)
       premailer (~> 1.7, >= 1.7.9)
     public_suffix (3.1.0)
     puma (3.12.1)