Upgrade devise to 3.5.4 to address CVE-2015-8314
http://blog.plataformatec.com.br/2016/01/improve-remember-me-cookie-expiration-in-devise/
Dominik Sander
3 arquivos alterados com 9 adições e 9 exclusões
+ 1
- 1
Gemfile
@@ -72,7 +72,7 @@ gem 'coffee-rails', '~> 4.1.0' |
||
| 72 | 72 |
gem 'daemons', '~> 1.1.9' |
| 73 | 73 |
gem 'delayed_job', '~> 4.1.0' |
| 74 | 74 |
gem 'delayed_job_active_record', github: 'collectiveidea/delayed_job_active_record', branch: 'master' |
| 75 |
-gem 'devise', '~> 3.4.0' |
|
| 75 |
+gem 'devise', '~> 3.5.4' |
|
| 76 | 76 |
gem 'em-http-request', '~> 1.1.2' |
| 77 | 77 |
gem 'faraday', '~> 0.9.0' |
| 78 | 78 |
gem 'faraday_middleware', github: 'lostisland/faraday_middleware', branch: 'master' # '>= 0.10.1' |
+ 5
- 5
Gemfile.lock
@@ -173,7 +173,7 @@ GEM |
||
| 173 | 173 |
activesupport (>= 3.0, < 5.0) |
| 174 | 174 |
delorean (2.1.0) |
| 175 | 175 |
chronic |
| 176 |
- devise (3.4.1) |
|
| 176 |
+ devise (3.5.4) |
|
| 177 | 177 |
bcrypt (~> 3.0) |
| 178 | 178 |
orm_adapter (~> 0.1) |
| 179 | 179 |
railties (>= 3.2.6, < 5) |
@@ -415,8 +415,8 @@ GEM |
||
| 415 | 415 |
rb-inotify (0.9.5) |
| 416 | 416 |
ffi (>= 0.5.0) |
| 417 | 417 |
ref (2.0.0) |
| 418 |
- responders (2.1.0) |
|
| 419 |
- railties (>= 4.2.0, < 5) |
|
| 418 |
+ responders (2.1.1) |
|
| 419 |
+ railties (>= 4.2.0, < 5.1) |
|
| 420 | 420 |
rest-client (1.8.0) |
| 421 | 421 |
http-cookie (>= 1.0.2, < 2.0) |
| 422 | 422 |
mime-types (>= 1.16, < 3.0) |
@@ -543,7 +543,7 @@ GEM |
||
| 543 | 543 |
macaddr (~> 1.0) |
| 544 | 544 |
uuidtools (2.1.5) |
| 545 | 545 |
vcr (2.9.2) |
| 546 |
- warden (1.2.3) |
|
| 546 |
+ warden (1.2.4) |
|
| 547 | 547 |
rack (>= 1.0) |
| 548 | 548 |
webmock (1.17.4) |
| 549 | 549 |
addressable (>= 2.2.7) |
@@ -572,7 +572,7 @@ DEPENDENCIES |
||
| 572 | 572 |
delayed_job (~> 4.1.0) |
| 573 | 573 |
delayed_job_active_record! |
| 574 | 574 |
delorean |
| 575 |
- devise (~> 3.4.0) |
|
| 575 |
+ devise (~> 3.5.4) |
|
| 576 | 576 |
dotenv! |
| 577 | 577 |
dotenv-rails! |
| 578 | 578 |
dropbox-api |
+ 3
- 3
config/initializers/devise.rb
@@ -94,6 +94,9 @@ Devise.setup do |config| |
||
| 94 | 94 |
# Setup a pepper to generate the encrypted password. |
| 95 | 95 |
# config.pepper = "SOME LONG HASH GENERATED WITH rake secret" |
| 96 | 96 |
|
| 97 |
+ # Send a notification email when the user's password is changed |
|
| 98 |
+ # config.send_password_change_notification = false |
|
| 99 |
+ |
|
| 97 | 100 |
# ==> Configuration for :confirmable |
| 98 | 101 |
# A period that the user is allowed to access the website even without |
| 99 | 102 |
# confirming their account. For instance, if set to 2.days, the user will be |
@@ -151,9 +154,6 @@ Devise.setup do |config| |
||
| 151 | 154 |
# time the user will be asked for credentials again. Default is 30 minutes. |
| 152 | 155 |
# config.timeout_in = 30.minutes |
| 153 | 156 |
|
| 154 |
- # If true, expires auth token on session timeout. |
|
| 155 |
- # config.expire_auth_token_on_timeout = false |
|
| 156 |
- |
|
| 157 | 157 |
# ==> Configuration for :lockable |
| 158 | 158 |
# Defines which strategy will be used to lock an account. |
| 159 | 159 |
# :failed_attempts = Locks an account after a number of failed attempts to sign in. |