grafana-almalinux-vs-rockylinux-patch-compare
创建于 差异永不过期
From 150a1d2777ea86253e6f800a2ee6273b92295ed9 Mon Sep 17 00:00:00 2001
commit bae86dbeb0
From: eabdullin <ed.abdullin.1@gmail.com>
Author: Ieva <ieva.vasiljeva@grafana.com>
Date: Wed, 12 Jul 2023 15:31:00 +0300
Date: Tue Jun 6 17:45:31 2023 +0100
Subject: [PATCH] CVE-2023-3128
---
Auth: Remove Email Lookup from oauth integrations 9.2 (#898)
pkg/api/login_oauth.go | 17 +++++++++--------
pkg/setting/setting.go | 5 ++++-
backport https://github.com/grafana/grafana-private-mirror/pull/894 to 9.3.x
2 files changed, 13 insertions(+), 9 deletions(-)
diff --git a/pkg/api/login_oauth.go b/pkg/api/login_oauth.go
diff --git a/pkg/api/login_oauth.go b/pkg/api/login_oauth.go
index b422baf..f124252 100644
index 22014aee43..af00c56a68 100644
--- a/pkg/api/login_oauth.go
--- a/pkg/api/login_oauth.go
+++ b/pkg/api/login_oauth.go
+++ b/pkg/api/login_oauth.go
@@ -299,16 +299,17 @@ func (hs *HTTPServer) SyncUser(
@@ -299,16 +299,17 @@
connect social.SocialConnector,
connect social.SocialConnector,
) (*models.User, error) {
) (*models.User, error) {
oauthLogger.Debug("Syncing Grafana user with corresponding OAuth profile")
oauthLogger.Debug("Syncing Grafana user with corresponding OAuth profile")
+ lookupParams := models.UserLookupParams{}
+ lookupParams := models.UserLookupParams{}
+ if hs.Cfg.OAuthAllowInsecureEmailLookup {
+ if hs.Cfg.OAuthAllowInsecureEmailLookup {
+ lookupParams.Email = &extUser.Email
+ lookupParams.Email = &extUser.Email
+ }
+ }
+
+
// add/update user in Grafana
// add/update user in Grafana
cmd := &models.UpsertUserCommand{
cmd := &models.UpsertUserCommand{
- ReqContext: ctx,
- ReqContext: ctx,
- ExternalUser: extUser,
- ExternalUser: extUser,
- SignupAllowed: connect.IsSignupAllowed(),
- SignupAllowed: connect.IsSignupAllowed(),
- UserLookupParams: models.UserLookupParams{
- UserLookupParams: models.UserLookupParams{
- Email: &extUser.Email,
- Email: &extUser.Email,
- UserID: nil,
- UserID: nil,
- Login: nil,
- Login: nil,
- },
- },
+ ReqContext: ctx,
+ ReqContext: ctx,
+ ExternalUser: extUser,
+ ExternalUser: extUser,
+ SignupAllowed: connect.IsSignupAllowed(),
+ SignupAllowed: connect.IsSignupAllowed(),
+ UserLookupParams: lookupParams,
+ UserLookupParams: lookupParams,
}
}
if err := hs.Login.UpsertUser(ctx.Req.Context(), cmd); err != nil {
if err := hs.Login.UpsertUser(ctx.Req.Context(), cmd); err != nil {
diff --git a/pkg/setting/setting.go b/pkg/setting/setting.go
diff --git a/pkg/setting/setting.go b/pkg/setting/setting.go
index ba2c4bb..6b5c948 100644
index 20e8f78a2f..03aa5c17d8 100644
--- a/pkg/setting/setting.go
--- a/pkg/setting/setting.go
+++ b/pkg/setting/setting.go
+++ b/pkg/setting/setting.go
@@ -312,7 +312,8 @@ type Cfg struct {
@@ -312,7 +312,8 @@
AuthProxySyncTTL int
AuthProxySyncTTL int
// OAuth
// OAuth
- OAuthCookieMaxAge int
- OAuthCookieMaxAge int
+ OAuthCookieMaxAge int
+ OAuthCookieMaxAge int
+ OAuthAllowInsecureEmailLookup bool
+ OAuthAllowInsecureEmailLookup bool
// JWT Auth
// JWT Auth
JWTAuthEnabled bool
JWTAuthEnabled bool
@@ -1255,6 +1256,8 @@ func readAuthSettings(iniFile *ini.File, cfg *Cfg) (err error) {
@@ -1256,6 +1256,8 @@
return err
return err
}
}
+ cfg.OAuthAllowInsecureEmailLookup = auth.Key("oauth_allow_insecure_email_lookup").MustBool(false)
+ cfg.OAuthAllowInsecureEmailLookup = auth.Key("oauth_allow_insecure_email_lookup").MustBool(false)
+
+
const defaultMaxLifetime = "30d"
const defaultMaxLifetime = "30d"
maxLifetimeDurationVal := valueAsString(auth, "login_maximum_lifetime_duration", defaultMaxLifetime)
maxLifetimeDurationVal := valueAsString(auth, "login_maximum_lifetime_duration", defaultMaxLifetime)
cfg.LoginMaxLifetime, err = gtime.ParseDuration(maxLifetimeDurationVal)
cfg.LoginMaxLifetime, err = gtime.ParseDuration(maxLifetimeDurationVal)