🔒 Fixed member email change vulnerability

refs https://github.com/TryGhost/Ghost/security/advisories/GHSA-65p7-pjj8-ggmr This updates the signup/signin flow for members to no longer support the email address change flow - which had missing authentication. It has been replaced with a dedicated email change flow, and Portal has been updated to use it.
2025-02-10 23:36:14 -05:00 · 2021-09-22 14:47:12 +02:00 · 2021-09-22 14:47:12 +02:00 · b6be89a44f
commit b6be89a44f
parent a8ee33b533
4 changed files with 7 additions and 6 deletions
--- a/core/frontend/helpers/ghost_head.js
+++ b/core/frontend/helpers/ghost_head.js
@ -41,7 +41,7 @@ function getMembersHelper() {
    const stripeDirectPublishableKey = settingsCache.get('stripe_publishable_key');
    const stripeConnectAccountId = settingsCache.get('stripe_connect_account_id');

-    let membersHelper = `<script defer src="https://unpkg.com/@tryghost/portal@~0.15.0/umd/portal.min.js" data-ghost="${urlUtils.getSiteUrl()}"></script>`;
+    let membersHelper = `<script defer src="https://unpkg.com/@tryghost/portal@~0.16.0/umd/portal.min.js" data-ghost="${urlUtils.getSiteUrl()}"></script>`;
    membersHelper += (`<style> ${templateStyles}</style>`);
    if ((!!stripeDirectSecretKey && !!stripeDirectPublishableKey) || !!stripeConnectAccountId) {
        membersHelper += '<script async src="https://js.stripe.com/v3/"></script>';
--- a/core/server/web/members/app.js
+++ b/core/server/web/members/app.js
@ -34,6 +34,7 @@ module.exports = function setupMembersApp() {
    // We don't want to add global bodyParser middleware as that interfers with stripe webhook requests on - `/webhooks`.
    membersApp.get('/api/member', middleware.getMemberData);
    membersApp.put('/api/member', bodyParser.json({limit: '1mb'}), middleware.updateMemberData);
+    membersApp.post('/api/member/email', bodyParser.json({limit: '1mb'}), (req, res) => membersService.api.middleware.updateEmailAddress(req, res));
    membersApp.get('/api/session', middleware.getIdentityToken);
    membersApp.delete('/api/session', middleware.deleteSession);
    membersApp.get('/api/site', middleware.getMemberSiteData);
--- a/package.json
+++ b/package.json
@ -56,7 +56,7 @@
    "@tryghost/kg-markdown-html-renderer": "3.0.0",
    "@tryghost/kg-mobiledoc-html-renderer": "3.0.1",
    "@tryghost/magic-link": "0.6.4",
-    "@tryghost/members-api": "0.37.12",
+    "@tryghost/members-api": "0.37.13",
    "@tryghost/members-csv": "0.4.2",
    "@tryghost/members-ssr": "0.8.8",
    "@tryghost/mw-session-from-token": "0.1.14",
--- a/yarn.lock
+++ b/yarn.lock
@ -553,10 +553,10 @@
    jsonwebtoken "^8.5.1"
    lodash "^4.17.15"

-"@tryghost/members-api@0.37.12":
-  version "0.37.12"
-  resolved "https://registry.yarnpkg.com/@tryghost/members-api/-/members-api-0.37.12.tgz#53660d77b2116b991b3e2e9633ec0d9d01d9249a"
-  integrity sha512-16yLqRLjInmwgEnQe0mSeGj6aM8wch2ZoZEMCuj1aaTdwZExtvtB3qbgX+zYz3Nblr53VdQe9Sz0J4U4IwXDAA==
+"@tryghost/members-api@0.37.13":
+  version "0.37.13"
+  resolved "https://registry.yarnpkg.com/@tryghost/members-api/-/members-api-0.37.13.tgz#fa43449b64ceab645195649066b1fdb748d89f23"
+  integrity sha512-6d3QDbXaRW4eTnoX5FOqb7JlSiVmm99QHlaygsb3dNYcrT3/q75Ro0TA5KgoTp9x3vde1Gtwr+U76plwGExapQ==
  dependencies:
    "@tryghost/magic-link" "^0.6.7"
    bluebird "^3.5.4"