Remove outdated code that sets password on $account during user registration

Created on 11 January 2016, almost 9 years ago
Updated 4 September 2024, about 2 months ago

Problem/Motivation

In \Drupal\user\RegisterForm line 115 has:

    // Add plain text password into user account to generate mail tokens.
    $account->password = $pass;

Drupal 8 doesn't support such a token, and it looks like this in NOT the hashed value set by \Drupal\Core\Field\Plugin\Field\FieldType\PasswordItem because we copy it before calling $account->save();

The same lines exist in Drupal 7 and is also a possible (minor) security weakness since the plain text password may be passed through the mail system even though Drupal 7 no longer supports a plain-text password token (Drupal 6 still does).

In Drupal 7 see line line 3925 in user.module:

  // Add plain text password into user account to generate mail tokens.
  $account->password = $pass;

Proposed resolution

Remove the code that sets $account->password

Remaining tasks

create patch.
Possibly add test for D8 to insure that the password is the hashed value after save() if no such test exists.

User interface changes

none

API changes

none

Data model changes

none

🐛 Bug report
Status

Needs work

Version

11.0 🔥

Component
User system 

Last updated 6 days ago

Created by

🇺🇸United States pwolanin

Live updates comments and jobs are added and updated live.
  • Needs backport to D7

    After being applied to the 8.x branch, it should be considered for backport to the 7.x branch. Note: This tag should generally remain even after the backport has been written, approved, and committed.

  • Security improvements

    It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.

  • Needs tests

    The change is currently missing an automated test that fails when run with the original code, and succeeds when the bug has been fixed.

Missing content requested by

🇦🇺Australia dpi
about 2 months ago
Sign in to follow issues

Comments & Activities

Production build 0.71.5 2024