Confronta il testo

Trova la differenza tra due file di testo

Editor live

Comprimi invariate

Senza a capo

Layout

Livello di dettaglio

Evidenziazione sintassi

Diffchecker Desktop Il modo più sicuro per usare Diffchecker. Ottieni l'app Diffchecker Desktop: i tuoi diff non lasciano mai il tuo computer!Ottieni Desktop

grafana-almalinux-vs-rockylinux-patch-compare

Creato 3 anni faIl diff non scade mai

16 rimozioni

Linee
Totale
Rimosso

Caratteri
Totale
Rimosso

Per continuare a utilizzare questa funzione, aggiorna a Diffchecker Pro Visualizza prezzi

63 linee

11 aggiunte

Linee
Totale
Aggiunto

Caratteri
Totale
Aggiunto

Per continuare a utilizzare questa funzione, aggiorna a Diffchecker Pro Visualizza prezzi

61 linee

From 150a1d2777ea86253e6f800a2ee6273b92295ed9 Mon Sep 17 00:00:00 2001

commit bae86dbeb0

From: eabdullin <ed.abdullin.1@gmail.com>

Author: Ieva <ieva.vasiljeva@grafana.com>

Date: Wed, 12 Jul 2023 15:31:00 +0300

Date: Tue Jun 6 17:45:31 2023 +0100

Subject: [PATCH] CVE-2023-3128

---

Auth: Remove Email Lookup from oauth integrations 9.2 (#898)

pkg/api/login_oauth.go | 17 +++++++++--------

pkg/setting/setting.go | 5 ++++-

backport https://github.com/grafana/grafana-private-mirror/pull/894 to 9.3.x

2 files changed, 13 insertions(+), 9 deletions(-)

diff --git a/pkg/api/login_oauth.go b/pkg/api/login_oauth.go

index b422baf..f124252 100644

index 22014aee43..af00c56a68 100644

--- a/pkg/api/login_oauth.go

+++ b/pkg/api/login_oauth.go

@@ -299,16 +299,17 @@ func (hs *HTTPServer) SyncUser(

@@ -299,16 +299,17 @@

connect social.SocialConnector,

) (*models.User, error) {

oauthLogger.Debug("Syncing Grafana user with corresponding OAuth profile")

+ lookupParams := models.UserLookupParams{}

+ if hs.Cfg.OAuthAllowInsecureEmailLookup {

+ lookupParams.Email = &extUser.Email

+ }

// add/update user in Grafana

cmd := &models.UpsertUserCommand{

- ReqContext: ctx,

- ExternalUser: extUser,

- SignupAllowed: connect.IsSignupAllowed(),

- UserLookupParams: models.UserLookupParams{

- Email: &extUser.Email,

- UserID: nil,

- Login: nil,

- },

+ ReqContext: ctx,

+ ExternalUser: extUser,

+ SignupAllowed: connect.IsSignupAllowed(),

+ UserLookupParams: lookupParams,

}

if err := hs.Login.UpsertUser(ctx.Req.Context(), cmd); err != nil {

diff --git a/pkg/setting/setting.go b/pkg/setting/setting.go

index ba2c4bb..6b5c948 100644

index 20e8f78a2f..03aa5c17d8 100644

--- a/pkg/setting/setting.go

+++ b/pkg/setting/setting.go

@@ -312,7 +312,8 @@ type Cfg struct {

@@ -312,7 +312,8 @@

AuthProxySyncTTL int

// OAuth

- OAuthCookieMaxAge int

+ OAuthCookieMaxAge int

+ OAuthAllowInsecureEmailLookup bool

// JWT Auth

JWTAuthEnabled bool

@@ -1255,6 +1256,8 @@ func readAuthSettings(iniFile *ini.File, cfg *Cfg) (err error) {

@@ -1256,6 +1256,8 @@

return err

}

+ cfg.OAuthAllowInsecureEmailLookup = auth.Key("oauth_allow_insecure_email_lookup").MustBool(false)

const defaultMaxLifetime = "30d"

maxLifetimeDurationVal := valueAsString(auth, "login_maximum_lifetime_duration", defaultMaxLifetime)

cfg.LoginMaxLifetime, err = gtime.ParseDuration(maxLifetimeDurationVal)

Diff salvati

Testo originale

Apri file

From 150a1d2777ea86253e6f800a2ee6273b92295ed9 Mon Sep 17 00:00:00 2001
From: eabdullin <ed.abdullin.1@gmail.com>
Date: Wed, 12 Jul 2023 15:31:00 +0300
Subject: [PATCH] CVE-2023-3128

---
 pkg/api/login_oauth.go | 17 +++++++++--------
 pkg/setting/setting.go |  5 ++++-
 2 files changed, 13 insertions(+), 9 deletions(-)

diff --git a/pkg/api/login_oauth.go b/pkg/api/login_oauth.go
index b422baf..f124252 100644
--- a/pkg/api/login_oauth.go
+++ b/pkg/api/login_oauth.go
@@ -299,16 +299,17 @@ func (hs *HTTPServer) SyncUser(
 	connect social.SocialConnector,
 ) (*models.User, error) {
 	oauthLogger.Debug("Syncing Grafana user with corresponding OAuth profile")
+	lookupParams := models.UserLookupParams{}
+	if hs.Cfg.OAuthAllowInsecureEmailLookup {
+		lookupParams.Email = &extUser.Email
+	}
+
 	// add/update user in Grafana
 	cmd := &models.UpsertUserCommand{
-		ReqContext:    ctx,
-		ExternalUser:  extUser,
-		SignupAllowed: connect.IsSignupAllowed(),
-		UserLookupParams: models.UserLookupParams{
-			Email:  &extUser.Email,
-			UserID: nil,
-			Login:  nil,
-		},
+		ReqContext:       ctx,
+		ExternalUser:     extUser,
+		SignupAllowed:    connect.IsSignupAllowed(),
+		UserLookupParams: lookupParams,
 	}
 
 	if err := hs.Login.UpsertUser(ctx.Req.Context(), cmd); err != nil {
diff --git a/pkg/setting/setting.go b/pkg/setting/setting.go
index ba2c4bb..6b5c948 100644
--- a/pkg/setting/setting.go
+++ b/pkg/setting/setting.go
@@ -312,7 +312,8 @@ type Cfg struct {
 	AuthProxySyncTTL          int
 
 	// OAuth
-	OAuthCookieMaxAge int
+	OAuthCookieMaxAge             int
+	OAuthAllowInsecureEmailLookup bool
 
 	// JWT Auth
 	JWTAuthEnabled       bool
@@ -1255,6 +1256,8 @@ func readAuthSettings(iniFile *ini.File, cfg *Cfg) (err error) {
 		return err
 	}
 
+	cfg.OAuthAllowInsecureEmailLookup = auth.Key("oauth_allow_insecure_email_lookup").MustBool(false)
+
 	const defaultMaxLifetime = "30d"
 	maxLifetimeDurationVal := valueAsString(auth, "login_maximum_lifetime_duration", defaultMaxLifetime)
 	cfg.LoginMaxLifetime, err = gtime.ParseDuration(maxLifetimeDurationVal)

Testo modificato

Apri file

commit bae86dbeb0
Author: Ieva <ieva.vasiljeva@grafana.com>
Date:   Tue Jun 6 17:45:31 2023 +0100

Auth: Remove Email Lookup from oauth integrations 9.2 (#898)
    
    backport https://github.com/grafana/grafana-private-mirror/pull/894 to 9.3.x

diff --git a/pkg/api/login_oauth.go b/pkg/api/login_oauth.go
index 22014aee43..af00c56a68 100644
--- a/pkg/api/login_oauth.go
+++ b/pkg/api/login_oauth.go
@@ -299,16 +299,17 @@
 	connect social.SocialConnector,
 ) (*models.User, error) {
 	oauthLogger.Debug("Syncing Grafana user with corresponding OAuth profile")
+	lookupParams := models.UserLookupParams{}
+	if hs.Cfg.OAuthAllowInsecureEmailLookup {
+		lookupParams.Email = &extUser.Email
+	}
+
 	// add/update user in Grafana
 	cmd := &models.UpsertUserCommand{
-		ReqContext:    ctx,
-		ExternalUser:  extUser,
-		SignupAllowed: connect.IsSignupAllowed(),
-		UserLookupParams: models.UserLookupParams{
-			Email:  &extUser.Email,
-			UserID: nil,
-			Login:  nil,
-		},
+		ReqContext:       ctx,
+		ExternalUser:     extUser,
+		SignupAllowed:    connect.IsSignupAllowed(),
+		UserLookupParams: lookupParams,
 	}
 
 	if err := hs.Login.UpsertUser(ctx.Req.Context(), cmd); err != nil {
diff --git a/pkg/setting/setting.go b/pkg/setting/setting.go
index 20e8f78a2f..03aa5c17d8 100644
--- a/pkg/setting/setting.go
+++ b/pkg/setting/setting.go
@@ -312,7 +312,8 @@
 	AuthProxySyncTTL          int
 
 	// OAuth
-	OAuthCookieMaxAge int
+	OAuthCookieMaxAge             int
+	OAuthAllowInsecureEmailLookup bool
 
 	// JWT Auth
 	JWTAuthEnabled       bool
@@ -1256,6 +1256,8 @@
 		return err
 	}
 
+	cfg.OAuthAllowInsecureEmailLookup = auth.Key("oauth_allow_insecure_email_lookup").MustBool(false)
+
 	const defaultMaxLifetime = "30d"
 	maxLifetimeDurationVal := valueAsString(auth, "login_maximum_lifetime_duration", defaultMaxLifetime)
 	cfg.LoginMaxLifetime, err = gtime.ParseDuration(maxLifetimeDurationVal)