See:
https://www.drupal.org/drupal-6.35-release-notes
https://www.drupal.org/drupal-7.35-release-notes
https://www.drupal.org/node/2455005
Because the LoginToboggan code passes the user's email address to user_pass_rehash() when the API expects a last login timestamp, the backwards compatibility layer added to Drupal core as part of this security release won't help with LoginToboggan.
The result is that some one-time-login and validation links don't work correctly with these versions of Drupal core.
All modules that call user_pass_rehash() should update for this core release, but for LoginToboggan it's especially critical since the backwards-compatibility layer won't work on any site.
Comment | File | Size | Author |
---|---|---|---|
#1 | logintoboggan-drupal-7.35-compatibility-2455049-1.patch | 1.97 KB | David_Rothstein |
#1 | logintoboggan-drupal-6.35-compatibility-2455049-1.patch | 1.81 KB | David_Rothstein |
Comments
Comment #1
David_Rothstein CreditAttribution: David_Rothstein commentedHere are patches for the Drupal 6 and Drupal 7 versions of the module. They are lightly tested and seem to work, but need review.
Comment #2
citricguy CreditAttribution: citricguy commentedUnder what circumstances are one-time links generated by LoginToboggan? Does LoginToboggan take over the password reset feature from Drupal Core?
Also, far more importantly, thank you David_Rothstein for creating patches for this so quickly.
Comment #3
AnybodyWorks good for me!
Comment #4
Yazzbe CreditAttribution: Yazzbe commentedrolled patch successfully against version 7.x-1.4 on Drupal 7.35
the one time login link seems to work fine for me too.
many thanks for the quick patch.
Comment #5
GaëlG2 people saying it's OK. If I'm right this is RTBC.
Comment #6
David_Rothstein CreditAttribution: David_Rothstein commentedYou're welcome!
I don't think LoginToboggan actually takes over the password reset feature, but it does use one-time-login links in other circumstances. For example, if the module is configured to give new users a "pre-auth" role and only promote them to a full member once they've clicked a link in their email, that link is generated by LoginToboggan and I think is subject to this problem. But I'm not sure about all the details.
Comment #7
Shai CreditAttribution: Shai commentedI've applied the Drupal 6 and Drupal 7 versions of this patch on live sites and tested them both. Worked fine for me. It would be nice to get this out into a release soon.
Thanks much!
Comment #8
drummComment #9
drummI can confirm this patch works well on Drupal.org.
Comment #10
darol100 CreditAttribution: darol100 commentedI have test the D7 patch and works fine. I think this patch is ready for be commit to the dev branch.
Comment #11
saniyat CreditAttribution: saniyat commentedI can confirm this patch works well.
Comment #12
ecvandenberg CreditAttribution: ecvandenberg commentedIn my configuration the one-time-logins work without the patch.
If I can help with providing extra relevant info, just let me know.
Comment #13
MakeOnlineShop CreditAttribution: MakeOnlineShop commentedHello, do you know when login tobogan for drupal 6.35 will be released ? Thank you.
Comment #14
dooug CreditAttribution: dooug at Promet Source commentedI confirmed the conditions/circumstance in which the 7.35 core update breaks logintoboggan 7.x-1.x-dev as mentioned in comment #6:
The LoginToboggan settings on:
/admin/config/system/logintoboggan
should be as follows. "Set Password" must be checked and "Non-authenticated role" should be something other than the authenticated role.The account settings on:
/admin/config/people/accounts
should have: "Who can register accounts?" set to "Visitors, but administrator approval is required"Then when a new visitor creates an account. The administrator gets the "'user_register_pending_approval_admin" email with a link that approves the new user and sets the user's role to 'authenticated', and directs the admin to that user page. For example:
Without this patch, I'd get this drupal error message:
With the patch, this worked as expected. Except in the case that the "Non-authenticated role" was set to "authenticated user", but that seems to be a separate issue, that this field even allows choosing the "authenticated user" role.
Comment #15
Shai CreditAttribution: Shai commentedThanks @Dooug for the clarification.
Is there anything preventing this patch from being committed?
Comment #16
dooug CreditAttribution: dooug at Promet Source commentedThis is a quick drush command to check if your D7 site is configured in a way for the bug to exist:
$ drush sqlq "select * from variable where name = 'user_email_verification' or name = 'user_register' or name = 'logintoboggan_pre_auth_role';"
If so, you'll see:
the logintoboggan_pre_auth_role will depend on which role is set to be assigned to new users before they are approved.
Comment #17
Shai CreditAttribution: Shai commented@dooug,
Thanks so much! Would the query you wrote work equally well for D7 and D6?
Comment #18
dooug CreditAttribution: dooug at Promet Source commented@shai, I haven't tried it on D6, only on D7.
Comment #19
danylevskyiProblem exists. D7 version of the patch worked great for me.
Thanks guys!
Comment #20
dooug CreditAttribution: dooug at Promet Source commentedIt seems that the maintainer, @stevecowie, hasn't made any commits since last July. There are 12 issues that are RTBC waiting. I poked him via email.
Comment #21
dooug CreditAttribution: dooug at Promet Source commentedAlso, since this only affects certain use cases of the module, I downgraded the priority level from "critical" to "major".
Comment #22
citricguy CreditAttribution: citricguy commentedCan also confirm that this patch works.
Comment #23
DuneBLI confirm the patch is working...
Before applying the patch, I got this warning
...when creating a new account.
Comment #24
rfayPushing back to critical - Although the D7 problem is minor, the base problem here is critical, as user_pass_rehash() gets called with wrong arguments.
Comment #25
rfayPlease note that this *also* involves an API change for logintoboggan, as logintoboggan_eml_rehash() has added the uid to its signature. This can break other modules that call logintoboggan_eml_rehash()
Comment #26
myDrupal2014_846824658246 CreditAttribution: myDrupal2014_846824658246 commentedThe patch at #1 works for me.
Comment #27
rogerpfaffTested the patch and can confirm it's working
Comment #28
federico CreditAttribution: federico commentedDrupal 7.35
LoginToboggan 7.x-1.4
Without the patch, I got this error:
Warning: Missing argument 4 for user_pass_rehash(), called in sites/all/modules/logintoboggan/logintoboggan.module on line 1058 and defined en user_pass_rehash() (líne 2386 /modules/user/user.module).
And the user sees this message:
After applying the patch, the error is gone, but when the user registers, there is no validation link whatsoever.
There is no dblog error.
Comment #29
federico CreditAttribution: federico commentedI updated Drupal to 7.36, removed the logintobbogan folder and applied the patch again, but the issue is still there: the user receives the validation link http://www.example.com/user/validate/9946/1428323176/Ewh9kWMV9eyQoqz1NvB... but when the user clicks the link, the following error arises: Notice: Undefined variable: uid en logintoboggan_eml_rehash() (line 1058 de /sites/all/modules/logintoboggan/logintoboggan.module).
Just to check if I am doing it right, these are the commands I made:
Comment #30
darol100 CreditAttribution: darol100 commented@federico,
As far as I know, in order to apply your patches you should download your module using git at the version control tab.
So it should looks something like this...
If you have any other question about applying patches please check this video or this article.
Comment #31
izmeez CreditAttribution: izmeez commented@federico I don't see anything wrong with you applying the patch directly without git. From comment #29 it looks as if the patch applied for you. Sometimes (depending on your OS) you may have to use
patch -p1 < filename.patch
You don't really need a git clone unless you are creating a patch.
Comment #32
federico CreditAttribution: federico commentedThanks, I can confirm that the patch was applied. Today, I tested the module again, creating and validating a new account, and the issue seems to be solved, i.e. the user could validate the account. I don't know why it didn't work 2 days ago but it's working now for me.
Comment #33
liupascal CreditAttribution: liupascal commentedPatch works for me
Comment #34
DanChadwick CreditAttribution: DanChadwick commented+1 RTBC. Tested the 7.x patch.
@stevecowie - We would very much appreciate a commit and new release.
Comment #35
stevecowie CreditAttribution: stevecowie commentedPatch applied and pushed. Apologies to all of you for keeping you waiting on this.
Comment #36
Heine CreditAttribution: Heine commentedCould you please make a new release (per the "crititical bug-fix" criterium)?
Comment #37
David_Rothstein CreditAttribution: David_Rothstein commentedThanks @stevecowie! Yeah, a new release would be nice if possible. In the meantime, I've updated https://www.drupal.org/drupal-7.35-release-notes to indicate that this is fixed in the latest 7.x-1.x release.
There's also a patch for Drupal 6 in #1.
Comment #38
AnybodyI can confirm 7.x-1.x-dev works great and a new stable release would be great for production sites. Thank you very much for your work!
Comment #39
dooug CreditAttribution: dooug at Promet Source commentedHello all, @stevecowie has approved my co-maintainer status, so I will be able to support him to get this issue queue into shape. I'll make it my goal to get this into 6.x-1.x-dev this week and roll new stable releases.
Comment #40
deggertsen CreditAttribution: deggertsen commentedThank you @dooug! This is quite a critical issue.
Comment #41
DanChadwick CreditAttribution: DanChadwick commentedThis was indeed committed, but there was a typo in the issue number in the commit, so the project manage didn't comment here. Here's the commit:
http://cgit.drupalcode.org/logintoboggan/commit/?id=75eff86
Comment #42
deggertsen CreditAttribution: deggertsen commentedIs this fixed then?
Comment #43
DanChadwick CreditAttribution: DanChadwick commentedFixed in D7. Issue open for the D6 patch referenced in #37.
Comment #44
darol100 CreditAttribution: darol100 commentedChanging the title since the D7 patch have been committed.
Comment #46
dooug CreditAttribution: dooug at Promet Source commentedPlease review and confirm that this applies and resolves this issue in D6.35.
Comment #47
jboyette36 CreditAttribution: jboyette36 commentedI tested this solution in Drupal 6.35, however I applied the patch manually because the copy of LoginToboggan that is on the site was apparently customized in some way when the site was built. (It wasn't me!) So, this fixed the one-time login link issue that I was having, but not sure if this qualifies towards RBTC since it wasn't on an official version of the D6 module.
Comment #48
mr.j CreditAttribution: mr.j commentedThe patch has been working fine for us on D6 for over a month.
Comment #50
dooug CreditAttribution: dooug at Promet Source commentedTo avoid any further delay, and since this patch was well reviewed for D7 and is nearly the same in D6, it sounds safe to commit.
Thanks again to @David_Rothstein for the patches!
Comment #52
MarcusTis CreditAttribution: MarcusTis commentedHello,
The patch seems to be have applied to the latest stable version for 7.x-1.5 but it dosen't seem to work as I got the same error message. Do this module require any updates from example ctools? My error message is still saying "For security reasons, the confirmation link is used only once .".
I am running the latest Drupal core 7.39
Thank you,