From 51af102c00f5dee8211c16f4d2d4705c8098bacc Mon Sep 17 00:00:00 2001
From: Tom Hughes <tom@compton.nu>
Date: Tue, 9 Feb 2021 22:59:54 +0000
Subject: [PATCH] Prevent CSRF bypass with password reset form

---
 app/controllers/users_controller.rb       |  2 +-
 test/controllers/users_controller_test.rb | 10 ++++++++++
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
index 8e3f0a355..c2cbca4ae 100644
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -151,7 +151,7 @@ class UsersController < ApplicationController
   def lost_password
     @title = t "users.lost_password.title"
 
-    if params[:email]
+    if request.post?
       user = User.visible.find_by(:email => params[:email])
 
       if user.nil?
diff --git a/test/controllers/users_controller_test.rb b/test/controllers/users_controller_test.rb
index 02e5db7db..ff75df548 100644
--- a/test/controllers/users_controller_test.rb
+++ b/test/controllers/users_controller_test.rb
@@ -812,6 +812,16 @@ class UsersControllerTest < ActionDispatch::IntegrationTest
     user = create(:user)
     uppercase_user = build(:user, :email => user.email.upcase).tap { |u| u.save(:validate => false) }
 
+    # Resetting with GET should fail
+    assert_no_difference "ActionMailer::Base.deliveries.size" do
+      perform_enqueued_jobs do
+        get user_forgot_password_path, :params => { :email => user.email }
+      end
+    end
+    assert_response :success
+    assert_template :lost_password
+
+    # Resetting with POST should work
     assert_difference "ActionMailer::Base.deliveries.size", 1 do
       perform_enqueued_jobs do
         post user_forgot_password_path, :params => { :email => user.email }
-- 
2.39.5