Relax omniauth requirement to mitigate CVE-2015-9284

Meat-Chopper · Meat-Chopper · commit faa62f0c58ff · 2021-01-16T00:22:42.000+03:00
diff --git a/omniauth-oauth.gemspec b/omniauth-oauth.gemspec
@@ -8,7 +8,7 @@ Gem::Specification.new do |gem|
   gem.homepage      = "https://github.com/intridea/omniauth-oauth"
   gem.license       = "MIT"
 
-  gem.add_dependency "omniauth", "~> 1.0"
+  gem.add_dependency "omniauth", ">= 1.0", "< 3"
   gem.add_dependency "oauth"
   gem.add_development_dependency "bundler", "~> 1.9"
 
diff --git a/spec/helper.rb b/spec/helper.rb
@@ -10,6 +10,8 @@
 require "omniauth"
 require "omniauth-oauth"
 
+OmniAuth.config.request_validation_phase = nil
+
 RSpec.configure do |config|
   config.include WebMock::API
   config.include Rack::Test::Methods
diff --git a/spec/omniauth/strategies/oauth_spec.rb b/spec/omniauth/strategies/oauth_spec.rb
@@ -34,7 +34,7 @@ def session
   describe "/auth/{name}" do
     context "successful" do
       before do
-        get "/auth/example.org"
+        post "/auth/example.org"
       end
 
       it "should redirect to authorize_url" do
@@ -43,7 +43,7 @@ def session
       end
 
       it "should redirect to authorize_url with authorize_params when set" do
-        get "/auth/example.org_with_authorize_params"
+        post "/auth/example.org_with_authorize_params"
         expect(last_response).to be_redirect
         expect([
           "https://api.example.org/oauth/authorize?abc=def&oauth_token=yourtoken",
@@ -56,7 +56,7 @@ def session
       end
 
       it "should pass request_params to get_request_token" do
-        get "/auth/example.org_with_request_params"
+        post "/auth/example.org_with_request_params"
         expect(WebMock).to have_requested(:post, "https://api.example.org/oauth/request_token").
           with { |req| req.body == "scope=http%3A%2F%2Ffoobar.example.org" }
       end
@@ -66,7 +66,7 @@ def session
       before do
         stub_request(:post, "https://api.example.org/oauth/request_token").
           to_raise(::Net::HTTPFatalError.new('502 "Bad Gateway"', nil))
-        get "/auth/example.org"
+        post "/auth/example.org"
       end
 
       it "should call fail! with :service_unavailable" do
@@ -78,7 +78,7 @@ def session
         before do
           stub_request(:post, "https://api.example.org/oauth/request_token").
             to_raise(::OpenSSL::SSL::SSLError.new("SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed"))
-          get "/auth/example.org"
+          post "/auth/example.org"
         end
 
         it "should call fail! with :service_unavailable" do
