The denial-of-service fixes from https://www.drupal.org/SA-CORE-2014-006 look like they would be relevant to Drupal 8 too and need to be ported there.

See the password.inc changes from http://cgit.drupalcode.org/drupal/commit/?id=81586d9e9d04dcee487c50de426... (and also the related tests).

Patch credit (for the Drupal 7 fix): klausi, pwolanin, Heine, tsphethean

CommentFileSizeAuthor
#7 password-length-2378703-7-interdiff.txt618 bytesBerdir
#7 password-length-2378703-7.patch2.94 KBBerdir
#4 password-length-2378703-4.patch2.88 KBBerdir
#4 password-length-2378703-4-test-only.patch1.66 KBBerdir
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

David_Rothstein’s picture

David_Rothstein CreditAttribution: David_Rothstein commented
Issue summary: View changes
Related issues: +#2378699: Port session hijacking fixes from SA-CORE-2014-006 to Drupal 8

Adding link to the related issue for the other half of the security advisory.

David_Rothstein’s picture

David_Rothstein CreditAttribution: David_Rothstein commented
Issue summary: View changes
Berdir’s picture

Berdir
Primary language German
Location Switzerland
CreditAttribution: Berdir commented
Assigned: Unassigned » Berdir

Working on this.

Berdir’s picture

Berdir
Primary language German
Location Switzerland
CreditAttribution: Berdir commented
Assigned: Berdir » Unassigned
Status: Active » Needs review
FileSize
password-length-2378703-4-test-only.patch1.66 KB
password-length-2378703-4.patch2.88 KB

Ported the fix and the tests.

The last submitted patch, 4: password-length-2378703-4-test-only.patch, failed testing.

klausi’s picture

klausi
he/him||they/them
Primary language German
Location 🇦🇹 Vienna
CreditAttribution: klausi commented
Status: Needs review » Needs work

Cool, almost ready!

+++ b/core/tests/Drupal/Tests/Core/Password/PasswordHashingTest.php
@@ -137,6 +137,43 @@ public function testPasswordRehashing() {
+  public function providerLongPasswords() {

Doc block missing, something like "Provides the test matrix for testLongPassword()."

Berdir’s picture

Berdir
Primary language German
Location Switzerland
CreditAttribution: Berdir commented
Status: Needs work » Needs review
FileSize
password-length-2378703-7.patch2.94 KB
password-length-2378703-7-interdiff.txt618 bytes

Wasn't sure what to add as comment and if at all, we have a lot of undocumented data providers methods. But your suggestion works for me ;)

klausi’s picture

klausi
he/him||they/them
Primary language German
Location 🇦🇹 Vienna
CreditAttribution: klausi commented
Status: Needs review » Reviewed & tested by the community

Thanks, looks good.

catch’s picture

catch
he/him
Primary language English
CreditAttribution: catch commented
Status: Reviewed & tested by the community » Fixed

Committed/pushed to 8.0.x, thanks!

  • catch committed 9df8989 on 8.0.x 
    Issue #2378703 by Berdir: Port denial of service fixes from SA-CORE-2014...

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.