From 7810734ac4126a09ff7ac5d336a105b03037bafa Mon Sep 17 00:00:00 2001
From: Tom Hughes <tom@compton.nu>
Date: Mon, 8 Feb 2021 12:24:43 +0000
Subject: [PATCH] Prevent CSRF bypass updating account details

Fixes #3089
---
 app/controllers/users_controller.rb       | 2 +-
 test/controllers/users_controller_test.rb | 8 ++++++++
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
index 0538d0409..8e3f0a355 100644
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -123,7 +123,7 @@ class UsersController < ApplicationController
       :form_action => %w[accounts.google.com *.facebook.com login.live.com github.com meta.wikimedia.org]
     )
 
-    if params[:user] && params[:user][:display_name] && params[:user][:description]
+    if request.post?
       if params[:user][:auth_provider].blank? ||
          (params[:user][:auth_provider] == current_user.auth_provider &&
           params[:user][:auth_uid] == current_user.auth_uid)
diff --git a/test/controllers/users_controller_test.rb b/test/controllers/users_controller_test.rb
index 03657d288..02e5db7db 100644
--- a/test/controllers/users_controller_test.rb
+++ b/test/controllers/users_controller_test.rb
@@ -949,6 +949,14 @@ class UsersControllerTest < ActionDispatch::IntegrationTest
       assert_equal "/user/#{ERB::Util.u(user.display_name)}/account", form.attr("action").to_s
     end
 
+    # Updating the description using GET should fail
+    user.description = "new description"
+    user.preferred_editor = "default"
+    get user_account_path(user), :params => { :user => user.attributes }
+    assert_response :success
+    assert_template :account
+    assert_not_equal user.description, User.find(user.id).description
+
     # Updating the description should work
     user.description = "new description"
     user.preferred_editor = "default"
-- 
2.43.2