64 lines
2.0 KiB
Diff
64 lines
2.0 KiB
Diff
|
From 150a1d2777ea86253e6f800a2ee6273b92295ed9 Mon Sep 17 00:00:00 2001
|
||
|
From: eabdullin <ed.abdullin.1@gmail.com>
|
||
|
Date: Wed, 12 Jul 2023 15:31:00 +0300
|
||
|
Subject: [PATCH] CVE-2023-3128
|
||
|
|
||
|
---
|
||
|
pkg/api/login_oauth.go | 17 +++++++++--------
|
||
|
pkg/setting/setting.go | 5 ++++-
|
||
|
2 files changed, 13 insertions(+), 9 deletions(-)
|
||
|
|
||
|
diff --git a/pkg/api/login_oauth.go b/pkg/api/login_oauth.go
|
||
|
index b422baf..f124252 100644
|
||
|
--- a/pkg/api/login_oauth.go
|
||
|
+++ b/pkg/api/login_oauth.go
|
||
|
@@ -299,16 +299,17 @@ func (hs *HTTPServer) SyncUser(
|
||
|
connect social.SocialConnector,
|
||
|
) (*models.User, error) {
|
||
|
oauthLogger.Debug("Syncing Grafana user with corresponding OAuth profile")
|
||
|
+ lookupParams := models.UserLookupParams{}
|
||
|
+ if hs.Cfg.OAuthAllowInsecureEmailLookup {
|
||
|
+ lookupParams.Email = &extUser.Email
|
||
|
+ }
|
||
|
+
|
||
|
// add/update user in Grafana
|
||
|
cmd := &models.UpsertUserCommand{
|
||
|
- ReqContext: ctx,
|
||
|
- ExternalUser: extUser,
|
||
|
- SignupAllowed: connect.IsSignupAllowed(),
|
||
|
- UserLookupParams: models.UserLookupParams{
|
||
|
- Email: &extUser.Email,
|
||
|
- UserID: nil,
|
||
|
- Login: nil,
|
||
|
- },
|
||
|
+ ReqContext: ctx,
|
||
|
+ ExternalUser: extUser,
|
||
|
+ SignupAllowed: connect.IsSignupAllowed(),
|
||
|
+ UserLookupParams: lookupParams,
|
||
|
}
|
||
|
|
||
|
if err := hs.Login.UpsertUser(ctx.Req.Context(), cmd); err != nil {
|
||
|
diff --git a/pkg/setting/setting.go b/pkg/setting/setting.go
|
||
|
index ba2c4bb..6b5c948 100644
|
||
|
--- a/pkg/setting/setting.go
|
||
|
+++ b/pkg/setting/setting.go
|
||
|
@@ -312,7 +312,8 @@ type Cfg struct {
|
||
|
AuthProxySyncTTL int
|
||
|
|
||
|
// OAuth
|
||
|
- OAuthCookieMaxAge int
|
||
|
+ OAuthCookieMaxAge int
|
||
|
+ OAuthAllowInsecureEmailLookup bool
|
||
|
|
||
|
// JWT Auth
|
||
|
JWTAuthEnabled bool
|
||
|
@@ -1255,6 +1256,8 @@ func readAuthSettings(iniFile *ini.File, cfg *Cfg) (err error) {
|
||
|
return err
|
||
|
}
|
||
|
|
||
|
+ cfg.OAuthAllowInsecureEmailLookup = auth.Key("oauth_allow_insecure_email_lookup").MustBool(false)
|
||
|
+
|
||
|
const defaultMaxLifetime = "30d"
|
||
|
maxLifetimeDurationVal := valueAsString(auth, "login_maximum_lifetime_duration", defaultMaxLifetime)
|
||
|
cfg.LoginMaxLifetime, err = gtime.ParseDuration(maxLifetimeDurationVal)
|