From 944c2cc9afbb31ed29d3b08066e9f05bdc7ac167 Mon Sep 17 00:00:00 2001 From: Fabien O'Carroll Date: Wed, 22 Sep 2021 14:11:31 +0200 Subject: [PATCH] =?UTF-8?q?=F0=9F=94=92=20Fixed=20member=20email=20change?= =?UTF-8?q?=20vulnerability?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit refs https://github.com/TryGhost/Ghost/security/advisories/GHSA-65p7-pjj8-ggmr This updates the signup/signin flow for members to no longer support the email address change flow - which had missing authentication. It has been replaced with a dedicated email change flow, and Portal has been updated to use it. --- core/server/web/members/app.js | 1 + core/shared/config/defaults.json | 4 ++-- package.json | 2 +- yarn.lock | 8 ++++---- 4 files changed, 8 insertions(+), 7 deletions(-) diff --git a/core/server/web/members/app.js b/core/server/web/members/app.js index b01b43e32b..1b80d63e20 100644 --- a/core/server/web/members/app.js +++ b/core/server/web/members/app.js @@ -34,6 +34,7 @@ module.exports = function setupMembersApp() { // We don't want to add global bodyParser middleware as that interfers with stripe webhook requests on - `/webhooks`. membersApp.get('/api/member', middleware.getMemberData); membersApp.put('/api/member', bodyParser.json({limit: '1mb'}), middleware.updateMemberData); + membersApp.post('/api/member/email', bodyParser.json({limit: '1mb'}), (req, res) => membersService.api.middleware.updateEmailAddress(req, res)); membersApp.get('/api/session', middleware.getIdentityToken); membersApp.delete('/api/session', middleware.deleteSession); membersApp.get('/api/site', middleware.getMemberSiteData); diff --git a/core/shared/config/defaults.json b/core/shared/config/defaults.json index d8e7e693a4..7667145aca 100644 --- a/core/shared/config/defaults.json +++ b/core/shared/config/defaults.json @@ -121,7 +121,7 @@ "emailAnalytics": true }, "portal": { - "url": "https://unpkg.com/@tryghost/portal@~1.9.0/umd/portal.min.js", - "version": "1.9" + "url": "https://unpkg.com/@tryghost/portal@~1.10.0/umd/portal.min.js", + "version": "1.10" } } diff --git a/package.json b/package.json index d28731a74e..c8f49c6256 100644 --- a/package.json +++ b/package.json @@ -74,7 +74,7 @@ "@tryghost/limit-service": "0.6.1", "@tryghost/logging": "0.1.7", "@tryghost/magic-link": "1.0.11", - "@tryghost/members-api": "1.32.1", + "@tryghost/members-api": "1.32.3", "@tryghost/members-csv": "1.1.6", "@tryghost/members-importer": "0.3.2", "@tryghost/members-ssr": "1.0.12", diff --git a/yarn.lock b/yarn.lock index 5a0a339a79..3aea9afade 100644 --- a/yarn.lock +++ b/yarn.lock @@ -1505,10 +1505,10 @@ jsonwebtoken "^8.5.1" lodash "^4.17.15" -"@tryghost/members-api@1.32.1": - version "1.32.1" - resolved "https://registry.yarnpkg.com/@tryghost/members-api/-/members-api-1.32.1.tgz#a890c8f2f2ae92d7d43437e52cb14dd6ae194732" - integrity sha512-1ox59JG6RCa+BZpuJQtfPjddIMQnodAfD2/nm8MvMsEVrUMtiu9BeH6yihJATroCwoqCvNJWGhG2/1t/FubGkw== +"@tryghost/members-api@1.32.3": + version "1.32.3" + resolved "https://registry.yarnpkg.com/@tryghost/members-api/-/members-api-1.32.3.tgz#ecf0948db251edcbd5aa4efd5b12db25ceb87da4" + integrity sha512-p5rimYXj35fTQBtDuoSLDzuKEmofd4Ot3rokUDAmaa8Lj4Tsoh3TnrTESSUc7PkCwDYts4PDX5+cLPhkc3LpTg== dependencies: "@tryghost/debug" "^0.1.2" "@tryghost/errors" "^0.2.9"