- Issue created by @mcdruid
- Merge request !5825Issue #3409043: Harden user_pass_rehash() against attack → (Open) created by mcdruid
- last update
12 months ago 2,166 pass - last update
11 months ago run-tests.sh exception - Status changed to Needs review
11 months ago 11:57am 19 December 2023 - 🇬🇧United Kingdom mcdruid 🇬🇧🇪🇺
Added a similar test to the one we're working on in the parent issue.
It could perhaps be a unit test, but not sure how reliable that would be as
user_pass_rehash()callsdrupal_get_hash_salt()which may use the$databasesglobal etc.. - 🇬🇧United Kingdom mcdruid 🇬🇧🇪🇺
The test-only job failed as expected:
https://git.drupalcode.org/project/drupal/-/jobs/506876
Reset password 284 passes, 1 fail, 0 exceptions, and 88 debug messages Test run duration: 22 sec Detailed test results --------------------- ---- UserPasswordResetTestCase ---- Status Group Filename Line Function -------------------------------------------------------------------------------- Fail Other user.test 960 UserPasswordResetTestCase->testUniq No user_pass_rehash() hash collision for different users with no stored password.Same as the parent issue, this will need a CR - any "in flight" reset links will become invalid when the code changes, but they are short-lived by design.
Anything else?
- last update
11 months ago 2,167 pass - last update
11 months ago 2,167 pass - 🇬🇧United Kingdom mcdruid 🇬🇧🇪🇺
Added a draft CR based on the one @poker10 made for the parent issue:
- Status changed to RTBC
11 months ago 8:36pm 8 January 2024 - 🇧🇪Belgium BramDriesen Belgium 🇧🇪
Based on the discussion in the parent, and the fact the tests are green here setting it to RTBC. Also checked the "tests only" run in GitLab which gave the expected result.
- last update
11 months ago 2,167 pass - 🇬🇧United Kingdom mcdruid 🇬🇧🇪🇺
The parent has been committed to D10/11 - I think we're okay to commit this to D7 now, but I don't want to commit my own patch/MR.
One tweak I might suggest is to use the word "minimal" instead of "lightweight":
// Lightweight user objects are sufficient. $user = drupal_anonymous_user();We don't really need to use objects at all as the properties are passed as individual params, but I think I'm happy with the rest of the test.
@poker10 are you happy to commit this (perhaps changing the comment as above)?
- 🇧🇪Belgium BramDriesen Belgium 🇧🇪
One tweak I might suggest is to use the word "minimal" instead of "lightweight"
Minimal does sound more correct to me. Or maybe even better to just say "Anonymous user objects are sufficient." or drop the comment as it doesn't add that much value either.
- 🇬🇧United Kingdom mcdruid 🇬🇧🇪🇺
I think my motivation for adding the comment was to avoid anyone (including myself later on) thinking that we needed to add more code / dependencies to the test in order to provide more complete user objects.. per the vintage comment in the API docs which confirms that
drupal_anonymous_user()doesn't return a full user object, or invoke hooks etc.. etc..https://api.drupal.org/api/drupal/includes%21bootstrap.inc/function/drup...
I'd be happy with a tweak to the wording, or for the comment to be removed on commit if we think it's not worth keeping.
- last update
10 months ago 2,167 pass - last update
10 months ago 2,128 pass - last update
10 months ago 2,167 pass - last update
10 months ago 2,167 pass - last update
10 months ago 2,167 pass - last update
10 months ago 2,127 pass, 1 fail - last update
10 months ago 2,167 pass - last update
10 months ago 2,167 pass - last update
10 months ago 2,163 pass - last update
10 months ago 2,128 pass - Status changed to Fixed
10 months ago 8:20pm 22 January 2024 - 🇸🇰Slovakia poker10
I think the "minimal" word should be OK, so I changed that on commit. I consider that comment helpful (exactly for reasons mentioned in #10), so not removing it. Other than that I think this looks good and code is the same as the D10 commit (also the CRs are practically the same).
Committed this, thanks all!
Automatically closed - issue fixed for 2 weeks with no activity.
