Merge pull request from GHSA-5629-8855-gf4g

Add extra security layer for GHSA-xm34-v85h-9pg2 in solidus_auth_devise
solidusio · Nov 17, 2021 · dcace31 · dcace31
2 parents a5949e2 + bbd3512
commit dcace31
Showing 1 changed file with 8 additions and 0 deletions.
diff --git a/core/lib/spree/core/engine.rb b/core/lib/spree/core/engine.rb
@@ -67,6 +67,14 @@ class Engine < ::Rails::Engine
       config.after_initialize do
         Spree::Config.check_load_defaults_called('Spree::Config')
       end
+
+      config.after_initialize do
+        if defined?(Spree::Auth::Engine) &&
+            Gem::Version.new(Spree::Auth::VERSION) < Gem::Version.new('2.5.4') &&
+            defined?(Spree::UsersController)
+          Spree::UsersController.protect_from_forgery with: :exception
+        end
+      end
     end
   end
 end