Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.In the webserver_auth_attempt_login function, we have the two lines (just after each other):
$uid = (int) $result->fetchField();
if (is_numeric($uid)) {
$uid is coerced to be an int, and then tested for being numeric - which will always be true. In the if clause, (as is said on the next line) "We found the user so just log them in", that is, if the if clause is true (always), call the user_login_submit function.
However, when the database query doesn't find the user trying to log in, fetchField will return false, and in this case the if code should *not* be executed. As it is, functions will be called, that assume a successful login. (In my case, a hook_user_login, doing a redirect, to a page which then wanted authentication, and the webserver_auth function was called again, getting into an infinite redirect loop.)
This change is fairly new. In the previous version I'm looking at, the (int) wasn't there, and removing it fixes the problem.
[Apologies if duplicate; my previous attempt to post this ended up in a white screen.]
Comments
Comment #1
specky_rum CreditAttribution: specky_rum commentedFixed as suggested with additional check to be sure. Also includes another, vaguely related minor security issue fix. All in the latest dev release, please give it a go and then I'll get it in a 1.4 release.
Comment #2
specky_rum CreditAttribution: specky_rum commented1.4 release includes this fix. Thanks.