From 0c2e30349c8a21d8926bdd6a260c8d6cb21d8532 Mon Sep 17 00:00:00 2001 From: polarag <23058078+polarag@users.noreply.github.com> Date: Fri, 18 Dec 2020 03:28:30 +0200 Subject: [PATCH] Fix security risk for null emails The returned email from Facebook is sometimes null. Bagisto tries to match the returned email from Facebook against the database, which would allow logins to accounts that have a null email which may not belong to the Facebook user trying to login, and therefore such user accounts might be breached. This commit checks for null emails first, and returns a null customer instead of the first customer with a null email. --- .../src/Repositories/CustomerSocialAccountRepository.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/packages/Webkul/SocialLogin/src/Repositories/CustomerSocialAccountRepository.php b/packages/Webkul/SocialLogin/src/Repositories/CustomerSocialAccountRepository.php index 6934c2ef8..ff43677f2 100644 --- a/packages/Webkul/SocialLogin/src/Repositories/CustomerSocialAccountRepository.php +++ b/packages/Webkul/SocialLogin/src/Repositories/CustomerSocialAccountRepository.php @@ -71,7 +71,7 @@ class CustomerSocialAccountRepository extends Repository if ($account) { return $account->customer; } else { - $customer = $this->customerRepository->findOneByField('email', $providerUser->getEmail()); + $customer = $providerUser->getEmail()?$this->customerRepository->findOneByField('email', $providerUser->getEmail()):null; if (! $customer) { $names = $this->getFirstLastName($providerUser->getName()); @@ -115,4 +115,4 @@ class CustomerSocialAccountRepository extends Repository 'last_name' => $lastName, ]; } -} \ No newline at end of file +}