Quantcast
Channel: Issues for Drupal core
Viewing all articles
Browse latest Browse all 295636

Plain text passwords can be accidentally dumped to the database by code that doesn't intend to do that

$
0
0

Problem/Motivation

Follow-up to #2418119: REST user updates bypass tightened user account change validation, it adds an existing column to the password field that always has a password in plain text, when we save a user the password value column is hashed but this column would be left alone, this column is not saved to the db, but it is present in the user object (it does need to be).

If you do:

$user = \Drupal\user\Entity\User::load(1);
$user->setExistingPassword('blah');
print serialize($user);

You see the existing password.

Proposed resolution

If an existing password or password is set in clear text on the user object we should mark the object as unsafe for serialization and error if the object is serialized.

Remaining tasks

User interface changes

API changes


Viewing all articles
Browse latest Browse all 295636


<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>