Headline
CVE-2023-37904: SECURITY: Handle concurrent invite accepts · discourse/discourse@62a609e
Discourse is an open source discussion platform. Prior to version 3.0.6 of the stable branch and version 3.1.0.beta7 of the beta and tests-passed branches, more users than permitted could be created from invite links. The issue is patched in version 3.0.6 of the stable branch and version 3.1.0.beta7 of the beta and tests-passed branches. As a workaround, use restrict to email address invites.
Expand Up
@@ -984,6 +984,27 @@
Fabricate(:invite, email: nil, emailed_status: Invite.emailed_status_types[:not_required])
end
it “does not create multiple users for a single use invite” do
user_count = User.count
2
.times
.map do
Thread.new do
put "/invites/show/#{invite.invite_key}.json",
params: {
email: "[email protected]",
password: "verystrongpassword",
}
end
end
.each(&:join)
expect(invite.reload.max_redemptions_allowed).to eq(1)
expect(invite.reload.redemption_count).to eq(1)
expect(User.count).to eq(user_count + 1)
end
it “sends an activation email and does not activate the user” do
expect {
put "/invites/show/#{invite.invite_key}.json",
Expand Down