SECURITY: don't echo the "strategy" param returned by auto provider

2015-01-06 16:28:29 +11:00 · 2015-01-06 16:28:29 +11:00 · e6dba8adc2
parent f2b0115453
commit e6dba8adc2
2 changed files with 2 additions and 2 deletions
--- a/app/controllers/users/omniauth_callbacks_controller.rb
+++ b/app/controllers/users/omniauth_callbacks_controller.rb
@ -47,7 +47,7 @@ class Users::OmniauthCallbacksController < ApplicationController
  end

  def failure
-    flash[:error] = I18n.t("login.omniauth_error", strategy: params[:strategy].titleize)
+    flash[:error] = I18n.t("login.omniauth_error")
    render layout: 'no_js'
  end

--- a/config/locales/server.en.yml
+++ b/config/locales/server.en.yml
@ -1141,7 +1141,7 @@ en:
    errors: "%{errors}"
    not_available: "Not available. Try %{suggestion}?"
    something_already_taken: "Something went wrong, perhaps the username or email is already registered. Try the forgot password link."
-    omniauth_error: "Sorry, there was an error authorizing your %{strategy} account. Perhaps you did not approve authorization?"
+    omniauth_error: "Sorry, there was an error authorizing your account. Perhaps you did not approve authorization?"
    omniauth_error_unknown: "Something went wrong processing your log in, please try again."
    new_registrations_disabled: "New account registrations are not allowed at this time."
    password_too_long: "Passwords are limited to 200 characters."