Fix security risk for null emails

The returned email from Facebook is sometimes null. Bagisto tries to match the returned email from Facebook against the database, which would allow logins to accounts that have a null email which may not belong to the Facebook user trying to login, and therefore such user accounts might be breached.

This commit checks for null emails first, and returns a null customer instead of the first customer with a null email.
This commit is contained in:
polarag 2020-12-18 03:28:30 +02:00 committed by GitHub
parent b6a30fc015
commit 0c2e30349c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 2 additions and 2 deletions

View File

@ -71,7 +71,7 @@ class CustomerSocialAccountRepository extends Repository
if ($account) {
return $account->customer;
} else {
$customer = $this->customerRepository->findOneByField('email', $providerUser->getEmail());
$customer = $providerUser->getEmail()?$this->customerRepository->findOneByField('email', $providerUser->getEmail()):null;
if (! $customer) {
$names = $this->getFirstLastName($providerUser->getName());
@ -115,4 +115,4 @@ class CustomerSocialAccountRepository extends Repository
'last_name' => $lastName,
];
}
}
}