services 7.x-3.10

Several security updates in this release. see: SA-CONTRIB-2014-092

New user's password set to weak password in _user_resource_create()

When creating a new user account via Services, the new user's password was set to a weak password.

This issue is mitigated by the fact that the user resource must be enabled (or least have been enabled in the past) and new user registration permitted via Services.

Action required: This release of Services comes with an interface and a drush command to perform actions in order to secure your site and get rid of this vulnerability. After installing this release and running the regular database updates, make sure to read all the information provided at admin/config/services/services-security, and pick the option most suited to your site. For example, you can reset the password of all user accounts that have been created since August 30th, 2013 (recommended).

Unfiltered JSONP callback parameter (XSS)

The JSONP response of a callback parameter is unfiltered and outputs raw HTTP data. This can lead to arbitrary JavaScript execution.

This issue is mitigated by the fact that JSONP is not enabled by default in the REST server response formatters and the HTTP client Accept header must be set to text/javascript or application/javascript if the "xml" formatter is enabled.

Services module now restricts callback parameters to alphanumeric characters only and a hard limit of 60 characters.

Flood control for user login bypass

Flood control was not properly enforced leaving it vulnerable to brute force attacks. Services now implements flood control just like core Drupal does.

Issue #2241051: Pass contextual argument to hook_controller_settings_alter() Pass contextual argument to hook_controller_settings_alter()
Issue #2341733: _node_resource_update: triggering element in form state triggering element in form state
Issue #1303400: Forgot (Reset) Password action on user resource Fix forgot password reset
Emulates drupal core flood control
Restricts callback parameter to 60 chars and limits to alphanumeric only
updates user resource to log accounts created from services
Fixes an error with headers on services versions
by kylebrowning, tyler.frankenstein: Adds user resource pass array options.
Issue #1912842: REST Server XML parser returns arrays with empty values when POSTing or PUTting... by akroplas
Issue #2300311: REST server should not return newlines in HTTP headers by fearlsgroove
Issue #2301127: Doesn't set triggering element in form state by mglaman
Issue #1923652 by ciss | mmillford: Added Using non-string callbacks generate warnings.
Issue #2260375: services_remove_user_data expects to receive $account as object, but array passed from _user_resource_update
Issue #2283757: Inconsistency in error messages format Inconsistency in error messages format
Fixes issues found in tests where $user and $account was not an object on remove user data function.
9c2457a remove patch file
Issue #2199783: Provide help text for path to endpoint field
Adds services alias underscore test
Issue #1526308: services_oauth with multiple authentication methods Fixes error in code
Fixes error in access to comments.
Fixes a bug is user resource with roles
Issue #2158563: Services should return a 403 instead of a 401 for access denied by deviantintegral