user password get lost if editing user account without setting new password

Create 1st account and set new password all is ok.
But if edit account again without new password i got this warning:

md5() expects parameter 1 to be string, array given in C:\www.example.com\modules\user.module on line 113.

and field "pass" of table "users" is empty.

CommentFileSizeAuthor
#7 password_confirm_array_0.patch1.03 KBchx
#5 password_confirm_array.patch1.25 KBJaza
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

killes@www.drop.org’s picture

killes@www.drop.org CreditAttribution: killes@www.drop.org commented

can't confirm that on an existing installation. Do you use any contrib modules?

rstamm’s picture

rstamm CreditAttribution: rstamm commented

No crontrib module.

used only drupal core HEAD

killes@www.drop.org’s picture

killes@www.drop.org CreditAttribution: killes@www.drop.org commented

php5?

rstamm’s picture

rstamm CreditAttribution: rstamm commented

I can confirm it again.

Drupal core HEAD
Setup fresh database.
Created 1st account.
It happen only if edit user account without new password.
If edit user account later again with new password all is ok.

I use XAMPP with PHP 5.1.1 and MySQL 5.0.18

Jaza’s picture

Jaza CreditAttribution: Jaza commented
Assigned: Unassigned » Jaza
Status: Active » Needs review
FileSize
password_confirm_array.patch1.25 KB

I can confirm that this is a real bug, and that it causes problems in PHP4 as well. The bug works differently in PHP4, but the problem is just as serious as in PHP5.

The problem is that password confirm fields are only getting converted from a 2-element array (with elements 'pass1' and 'pass2') into a single string, if the user enters a value in 'pass1'. If not, then the 'pass' element remains as an array, all the way until it gets passed into the md5() function. In PHP4, md5() seems to accept an array (I assume that it somehow converts it into a string), which results in the user's password getting set to an essentially random md5 hash. The only difference with PHP5, is that md5() won't accept the array that it gets passed - the problem is there and stuffs up the user's password in both systems.

Attached patch makes password confirm fields get converted from a 2-element array into a single string, whether or not 'pass1' is empty. This fixes the problem for me.

moshe weitzman’s picture

moshe weitzman CreditAttribution: moshe weitzman commented

code looks sane to me. i did not test.

chx’s picture

chx CreditAttribution: chx commented
Status: Needs review » Reviewed & tested by the community
FileSize
password_confirm_array_0.patch1.03 KB

I did.

chx’s picture

chx CreditAttribution: chx commented

No change in the patch, just rerolled to remove the offset.

jwilde’s picture

jwilde CreditAttribution: jwilde commented

tested on head - it works for me.

Thank you

killes@www.drop.org’s picture

killes@www.drop.org CreditAttribution: killes@www.drop.org commented
Status: Reviewed & tested by the community » Fixed

applied

rstamm’s picture

rstamm CreditAttribution: rstamm commented
Status: Fixed » Closed (fixed)