Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Confirmable should generate a token if confirmation_token is currently an empty string #5071

Closed
ajsharp opened this issue May 4, 2019 · 0 comments · Fixed by #5132
Closed

Confirmable should generate a token if confirmation_token is currently an empty string #5071

ajsharp opened this issue May 4, 2019 · 0 comments · Fixed by #5132
Labels
PR attached

Comments

@ajsharp
Copy link

ajsharp commented May 4, 2019

Environment

  • Ruby 2.5.5p157
  • Rails 5.2.3
  • Devise 4.6.1

Current behavior

Currently, when using the confirmable module, devise only checks if the confirmation_token field not nil. If it's nil, it will generate a confirmation token for you; if it's not, it won't. However, it can be set to an empty string, which should not be allowed, as it presents a security issue, allowing someone passing an empty string as the confirmation token to sign in as the person with the blank string confirmation token.

This is the offending code: https://github.com/plataformatec/devise/blob/e91b8ee0bac0503af119bf7333499d7729166a4d/lib/devise/models/confirmable.rb#L249

Expected behavior

Devise should do something like if self.confirmation_token.present?, which checks for nil and blank.
@ajsharp ajsharp mentioned this issue May 4, 2019
Closed
tegon added a commit that referenced this issue Aug 12, 2019
@tegon
Do not confirm users when confirmation_token is blank
f66c996 
As reported in #5071, if
for some reason, a user in the database had the `confirmation_token`
column as a blank string, Devise would confirm that user after receiving
a request with a blank `confirmation_token` parameter.
After this commit, a request sending a blank `confirmation_token`
parameter will receive a validation error.
For applications that have users with a blank `confirmation_token` in
the database, it's recommended to manually regenerate or to nullify
them.
@tegon tegon mentioned this issue Sep 2, 2019
Merged
tegon added a commit that referenced this issue Sep 4, 2019
@tegon
Always return an error when confirmation_token is blank (#5132)
fee43f3 
As reported in #5071, if
for some reason, a user in the database had the `confirmation_token`
column as a blank string, Devise would confirm that user after receiving
a request with a blank `confirmation_token` parameter.
After this commit, a request sending a blank `confirmation_token`
parameter will receive a validation error.
For applications that have users with a blank `confirmation_token` in
the database, it's recommended to manually regenerate or to nullify
them.
@arku arku mentioned this issue Sep 15, 2019
Merged
senid231 added a commit to senid231/yeti-web that referenced this issue Sep 19, 2019
@senid231
fix vulnerability CVE-2019-16109
0267331 
Name: devise
Version: 4.6.2
Advisory: CVE-2019-16109
Criticality: Unknown
URL: heartcombo/devise#5071
Title: Devise Gem for Ruby confirmation token validation with a blank string
Solution: upgrade to >= 4.7.1
senid231 added a commit to senid231/yeti-web that referenced this issue Sep 19, 2019
@senid231
fix vulnerability CVE-2019-16109
f755b26 
Name: devise
Version: 4.6.2
Advisory: CVE-2019-16109
Criticality: Unknown
URL: heartcombo/devise#5071
Title: Devise Gem for Ruby confirmation token validation with a blank string
Solution: upgrade to >= 4.7.1
senid231 added a commit to senid231/yeti-web that referenced this issue Sep 19, 2019
@senid231
fix vulnerability CVE-2019-16109
0b6b5f2 
Name: devise
Version: 4.6.2
Advisory: CVE-2019-16109
Criticality: Unknown
URL: heartcombo/devise#5071
Title: Devise Gem for Ruby confirmation token validation with a blank string
Solution: upgrade to >= 4.7.1
rokumatsumoto added a commit to rokumatsumoto/boyutluseyler that referenced this issue Sep 28, 2019
@rokumatsumoto
Bump devise from 4.6.1 to 4.7.1
ae6ec1d 
Name: devise
Version: 4.6.1
Advisory: CVE-2019-16109
Criticality: Unknown
URL: heartcombo/devise#5071
Title: Devise Gem for Ruby confirmation token validation with a blank string
Solution: upgrade to >= 4.7.1
@rokumatsumoto rokumatsumoto mentioned this issue Sep 28, 2019
Merged
@Spone Spone mentioned this issue Oct 2, 2019
Closed
@rimenes rimenes mentioned this issue Oct 16, 2019
Merged
hugopl pushed a commit to hugopl/reviewit that referenced this issue Oct 16, 2019
@rimenes @hugopl
Update devise gem to address security issues.
8d85ce1 
Name: devise
Version: 4.6.1
Advisory: CVE-2019-16109
Criticality: Unknown
URL: heartcombo/devise#5071
Title: Devise Gem for Ruby confirmation token validation with a blank string
Solution: upgrade to >= 4.7.1
@rdunlop rdunlop mentioned this issue Nov 21, 2019
Closed
@michalkorzawski michalkorzawski mentioned this issue Feb 6, 2020
Closed
scbafk pushed a commit to repairtech/devise that referenced this issue Mar 3, 2020
@tegon @scbafk
Always return an error when confirmation_token is blank (heartcombo…
1b0feec 
…#5132)

As reported in heartcombo#5071, if
for some reason, a user in the database had the `confirmation_token`
column as a blank string, Devise would confirm that user after receiving
a request with a blank `confirmation_token` parameter.
After this commit, a request sending a blank `confirmation_token`
parameter will receive a validation error.
For applications that have users with a blank `confirmation_token` in
the database, it's recommended to manually regenerate or to nullify
them.
This was referenced Sep 7, 2021
Closed
Open
@Janell-Huyck Janell-Huyck mentioned this issue Nov 2, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
PR attached
Milestone
No milestone
2 participants
@ajsharp @mracos