Contrib.social

Protect initial login link against abuse and username leaking

Open on Drupal.org โ†’
Created on 27 November 2019, over 5 years ago
Updated 30 June 2023, about 2 years ago

Copied from https://security.drupal.org/node/166626 which was reviewed and determined it was OK to make it public as the impact is minimal. The reporter was via email and did not provide details on their d.o account to be able to give them credit.

Problem/Motivation

The "initial login link" that a user gets in their email when registering for an account on a site that allows anonymous registration without approval has a few interesting elements:

  1. It never expires - while the password reset link expires in 24 hours.
  2. The default robots.txt allows crawling these links

That combination means that if the url gets "leaked" somehow it is very easy to use a search engine to find unused login links.

Note that this issue seems to primarily affect accounts created using disposable email services where the inbox contents become crawlable on the internet.

Proposed resolution

A simple change is to update robots.txt to disallow crawling of /user/reset/*

A behavior breaking change that is worthwhile would be to validate the initial login link is being used within a certain period of time, perhaps 2 days. (The current patch makes it have the same value as the 'password_reset_timeout' configuration value, which currently is 24 hours and has no UI in Core. Is there ar reason to differentiate them?)

Remaining tasks

Lots.

User interface changes

robots.txt disallows access to password reset links.
(maybe) the initial login link verifies a timestamp.

API changes

$expiration_date for UserPasswordResetForm is now effectively mandatory. (Is this an API change? I'm not sure. --roderik)

Data model changes

None.

Release notes snippet

Links in e-mails sent out to newly created users are now valid for a limited time only, like links in "password reset" e-mails already are.

โœจ Feature request
Status

Needs work

Version

11.0 ๐Ÿ”ฅ

Component
User systemย  โ†’

Last updated about 13 hours ago

Created by

๐Ÿ‡บ๐Ÿ‡ธUnited States greggles Denver, Colorado, USA

Live updates comments and jobs are added and updated live.
  • Security improvements

    It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.

Sign in to follow issues

Merge Requests

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • Merge request !151Issue #3097238: Protect initial login link against abuse โ†’ (Open) created by roderik
  • First commit to issue fork.
  • Open in Jenkins โ†’ Open on Drupal.org โ†’
    Environment: PHP 8.2 & MySQL 8
    last update about 2 years ago
    29,565 pass
  • Status changed to Needs review about 2 years ago
  • Comment about 2 years ago โ†’
    ๐Ÿ‡ฎ๐Ÿ‡ณIndia bhanu951

    Rebased MR against 11.x Branch , Setting NR.

  • Open in Jenkins โ†’ Open on Drupal.org โ†’
    Environment: PHP 8.2 & MySQL 8
    last update about 2 years ago
    29,566 pass
  • Comment about 2 years ago โ†’
    ๐Ÿ‡จ๐Ÿ‡ฆCanada Charlie ChX Negyesi ๐ŸCanada

    Serving as the Ghost of Drupal Past, as I am sure everyone remembers ;) Josรฉ added this not long ago ;) in #18719: Request New Password Security โ†’ with a little dabbling from me but even I can't recall the reason for no timeout on first login. Re-reading the issue, it was introduced in #14 but there's no reasoning given. Considering some use cases here... for example you might be registering on an event website months ahead, get a link and never bother to go through with the actual account creation until the event comes. if we consider this a valid use case then maybe we should add instructions on how to obtain a fresh reset link -- AFAIK currently the only way in the web UI is to visit user/reset, enter the username and click... so maybe we should consider adding username prefill functionality to the user reset page and add instructions to the initial user mail?

  • Status changed to Needs work about 2 years ago
  • Comment about 2 years ago โ†’
    ๐Ÿ‡บ๐Ÿ‡ธUnited States smustgrave

    This seems like something that could use an issue summary update.

    Is the same approach from 3 years ago still desired?

  • Comment almost 2 years ago โ†’
    ๐Ÿ‡บ๐Ÿ‡ธUnited States daddison

    The issue summary still seems solid to me.

  • Comment over 1 year ago โ†’
    ๐Ÿ‡บ๐Ÿ‡ธUnited States wxactly

    Reroll of #25 against Drupal 10.2.x

  • Open in Jenkins โ†’ Open on Drupal.org โ†’
    Environment: PHP 8.1 & MariaDB 10.3.22
    last update over 1 year ago
    25,746 pass, 1,791 fail
  • Comment about 1 year ago โ†’
    ๐Ÿ‡บ๐Ÿ‡ธUnited States gcb

    Reroll of #34 against 10.3.x

  • First commit to issue fork.
  • Pipeline finished with Failed
    about 2 months ago
    Total: 132s
    #500357
  • Pipeline finished with Failed
    about 2 months ago
    Total: 141s
    #500361
  • Pipeline finished with Success
    about 2 months ago
    Total: 412s
    #500368
  • Comment about 2 months ago โ†’
    ๐Ÿ‡ซ๐Ÿ‡ทFrance prudloff Lille

    Merged the latest 11.x.

  • Pipeline finished with Success
    about 1 month ago
    Total: 242s
    #505182
  • Pipeline finished with Success
    about 1 month ago
    Total: 382s
    #509738
  • Pipeline finished with Success
    about 1 month ago
    Total: 284s
    #510872
  • Pipeline finished with Success
    about 1 month ago
    Total: 273s
    #510880
  • Pipeline finished with Success
    21 days ago
    #522434
  • Pipeline finished with Canceled
    21 days ago
    #522454
  • Pipeline finished with Canceled
    21 days ago
    #522457
  • Pipeline finished with Success
    21 days ago
    #522460
  • Pipeline finished with Success
    21 days ago
    #522463
  • Comment 11 days ago โ†’
    needs-review-queue-bot

    The Needs Review Queue Bot โ†’ tested this issue. It no longer applies to Drupal core. Therefore, this issue status is now "Needs work".

    This does not mean that the patch necessarily needs to be re-rolled or the MR rebased. Read the Issue Summary, the issue tags and the latest discussion here to determine what needs to be done.

    Consult the Drupal Contributor Guide โ†’ to find step-by-step guides for working with issues.

  • Pipeline finished with Canceled
    11 days ago
    Total: 265s
    #530498
  • Pipeline finished with Success
    11 days ago
    Total: 2041s
    #530504
  • Comment 11 days ago โ†’
    ๐Ÿ‡ซ๐Ÿ‡ทFrance prudloff Lille

    I merged the latest 11.x

  • Comment 1 day ago โ†’
    needs-review-queue-bot

    The Needs Review Queue Bot โ†’ tested this issue. It no longer applies to Drupal core. Therefore, this issue status is now "Needs work".

    This does not mean that the patch necessarily needs to be re-rolled or the MR rebased. Read the Issue Summary, the issue tags and the latest discussion here to determine what needs to be done.

    Consult the Drupal Contributor Guide โ†’ to find step-by-step guides for working with issues.

  • Pipeline finished with Success
    about 14 hours ago
    Total: 1032s
    #539819
  • Comment about 13 hours ago โ†’
    ๐Ÿ‡ซ๐Ÿ‡ทFrance prudloff Lille

    I merged the latest 11.x.

  • Pipeline finished with Success
    about 8 hours ago
    Total: 283s
    #539953
  • Pipeline finished with Success
    about 8 hours ago
    Total: 291s
    #539956
contrib.social Blog FAQ Discussions
Production build 0.71.5 2024