Contrib.social

Protect initial login link against abuse and username leaking

Open on Drupal.org →
Created on 27 November 2019, almost 6 years ago
Updated 30 June 2023, over 2 years ago

Copied from https://security.drupal.org/node/166626 which was reviewed and determined it was OK to make it public as the impact is minimal. The reporter was via email and did not provide details on their d.o account to be able to give them credit.

Problem/Motivation

The "initial login link" that a user gets in their email when registering for an account on a site that allows anonymous registration without approval has a few interesting elements:

  1. It never expires - while the password reset link expires in 24 hours.
  2. The default robots.txt allows crawling these links

That combination means that if the url gets "leaked" somehow it is very easy to use a search engine to find unused login links.

Note that this issue seems to primarily affect accounts created using disposable email services where the inbox contents become crawlable on the internet.

Proposed resolution

A simple change is to update robots.txt to disallow crawling of /user/reset/*

A behavior breaking change that is worthwhile would be to validate the initial login link is being used within a certain period of time, perhaps 2 days. (The current patch makes it have the same value as the 'password_reset_timeout' configuration value, which currently is 24 hours and has no UI in Core. Is there ar reason to differentiate them?)

Remaining tasks

Lots.

User interface changes

robots.txt disallows access to password reset links.
(maybe) the initial login link verifies a timestamp.

API changes

$expiration_date for UserPasswordResetForm is now effectively mandatory. (Is this an API change? I'm not sure. --roderik)

Data model changes

None.

Release notes snippet

Links in e-mails sent out to newly created users are now valid for a limited time only, like links in "password reset" e-mails already are.

Feature request
Status

Needs work

Version

11.0 🔥

Component
User system 

Last updated about 1 month ago

Created by

🇺🇸United States greggles Denver, Colorado, USA

Live updates comments and jobs are added and updated live.
  • Security improvements

    It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.

Sign in to follow issues

Merge Requests

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • Merge request !151Issue #3097238: Protect initial login link against abuse → (Open) created by roderik
  • First commit to issue fork.
  • Open in Jenkins → Open on Drupal.org →
    Environment: PHP 8.2 & MySQL 8
    last update over 2 years ago
    29,565 pass
  • Status changed to Needs review over 2 years ago
  • Comment over 2 years ago
    🇮🇳India bhanu951

    Rebased MR against 11.x Branch , Setting NR.

  • Open in Jenkins → Open on Drupal.org →
    Environment: PHP 8.2 & MySQL 8
    last update over 2 years ago
    29,566 pass
  • Comment over 2 years ago
    🇨🇦Canada Charlie ChX Negyesi 🍁Canada

    Serving as the Ghost of Drupal Past, as I am sure everyone remembers ;) José added this not long ago ;) in #18719: Request New Password Security with a little dabbling from me but even I can't recall the reason for no timeout on first login. Re-reading the issue, it was introduced in #14 but there's no reasoning given. Considering some use cases here... for example you might be registering on an event website months ahead, get a link and never bother to go through with the actual account creation until the event comes. if we consider this a valid use case then maybe we should add instructions on how to obtain a fresh reset link -- AFAIK currently the only way in the web UI is to visit user/reset, enter the username and click... so maybe we should consider adding username prefill functionality to the user reset page and add instructions to the initial user mail?

  • Status changed to Needs work over 2 years ago
  • Comment over 2 years ago
    🇺🇸United States smustgrave

    This seems like something that could use an issue summary update.

    Is the same approach from 3 years ago still desired?

  • Comment about 2 years ago
    🇺🇸United States daddison

    The issue summary still seems solid to me.

  • Comment almost 2 years ago
    🇺🇸United States wxactly

    Reroll of #25 against Drupal 10.2.x

  • Open in Jenkins → Open on Drupal.org →
    Environment: PHP 8.1 & MariaDB 10.3.22
    last update almost 2 years ago
    25,746 pass, 1,791 fail
  • Comment over 1 year ago
    🇺🇸United States gcb

    Reroll of #34 against 10.3.x

  • First commit to issue fork.
  • Pipeline finished with Failed
    5 months ago
    Total: 132s
    #500357
  • Pipeline finished with Failed
    5 months ago
    Total: 141s
    #500361
  • Pipeline finished with Success
    5 months ago
    Total: 412s
    #500368
  • Comment 5 months ago
    🇫🇷France prudloff Lille

    Merged the latest 11.x.

  • Pipeline finished with Success
    4 months ago
    Total: 242s
    #505182
  • Pipeline finished with Success
    4 months ago
    Total: 382s
    #509738
  • Pipeline finished with Success
    4 months ago
    Total: 284s
    #510872
  • Pipeline finished with Success
    4 months ago
    Total: 273s
    #510880
  • Pipeline finished with Success
    4 months ago
    #522434
  • Pipeline finished with Canceled
    4 months ago
    #522454
  • Pipeline finished with Canceled
    4 months ago
    #522457
  • Pipeline finished with Success
    4 months ago
    #522460
  • Pipeline finished with Success
    4 months ago
    #522463
  • Comment 3 months ago
    needs-review-queue-bot

    The Needs Review Queue Bot tested this issue. It no longer applies to Drupal core. Therefore, this issue status is now "Needs work".

    This does not mean that the patch necessarily needs to be re-rolled or the MR rebased. Read the Issue Summary, the issue tags and the latest discussion here to determine what needs to be done.

    Consult the Drupal Contributor Guide to find step-by-step guides for working with issues.

  • Pipeline finished with Canceled
    3 months ago
    Total: 265s
    #530498
  • Pipeline finished with Success
    3 months ago
    Total: 2041s
    #530504
  • Comment 3 months ago
    🇫🇷France prudloff Lille

    I merged the latest 11.x

  • Comment 3 months ago
    needs-review-queue-bot

    The Needs Review Queue Bot tested this issue. It no longer applies to Drupal core. Therefore, this issue status is now "Needs work".

    This does not mean that the patch necessarily needs to be re-rolled or the MR rebased. Read the Issue Summary, the issue tags and the latest discussion here to determine what needs to be done.

    Consult the Drupal Contributor Guide to find step-by-step guides for working with issues.

  • Pipeline finished with Success
    3 months ago
    Total: 1032s
    #539819
  • Comment 3 months ago
    🇫🇷France prudloff Lille

    I merged the latest 11.x.

  • Pipeline finished with Success
    3 months ago
    Total: 283s
    #539953
  • Pipeline finished with Success
    3 months ago
    Total: 291s
    #539956
  • Comment 3 months ago
    🇺🇸United States smustgrave

    Left some comments on the MR.

  • Pipeline finished with Canceled
    3 months ago
    Total: 71s
    #541252
  • Pipeline finished with Failed
    3 months ago
    Total: 166s
    #541253
  • Comment 3 months ago
    🇫🇷France prudloff Lille

    I think we need a followup for the todo (remove deprecated code branch in UserPasswordResetForm).

  • Pipeline finished with Success
    3 months ago
    Total: 660s
    #541254
  • Pipeline finished with Failed
    2 months ago
    #557042
  • Pipeline finished with Success
    2 months ago
    #557076
  • Pipeline finished with Skipped
    about 2 months ago
    #570407
  • Pipeline finished with Failed
    about 2 months ago
    Total: 337s
    #575679
  • Pipeline finished with Failed
    about 2 months ago
    Total: 136s
    #576483
  • Pipeline finished with Running
    about 2 months ago
    #576757
  • Pipeline finished with Success
    about 1 month ago
    Total: 558s
    #577603
  • Pipeline finished with Success
    about 1 month ago
    Total: 355s
    #577618
  • Pipeline finished with Success
    about 1 month ago
    Total: 428s
    #577619
  • Pipeline finished with Canceled
    about 1 month ago
    Total: 480s
    #577627
  • Pipeline finished with Success
    about 1 month ago
    Total: 381s
    #577634
  • Pipeline finished with Success
    5 days ago
    Total: 871s
    #612911
  • Pipeline finished with Failed
    4 days ago
    Total: 1098s
    #613686
  • Pipeline finished with Failed
    4 days ago
    Total: 1029s
    #613714
contrib.social Blog FAQ Discussions
Production build 0.71.5 2024