See:
https://www.drupal.org/SA-CORE-2015-001
http://cgit.drupalcode.org/drupal/commit/?id=b44056d2f8e8c71d35c85ec5c2f...

This issue is only for the access bypass issue involving password reset URLs.

There was some discussion in the security team about whether this actually affects Drupal 8 in any way, but we should find out. And probably at a minimum, port the tests from Drupal 7 to Drupal 8 to help see if it's possible to reproduce any security issue.

Credit for the D6/D7 version of this patch (the security release):

klausi, David_Rothstein, pwolanin, benjy
CommentFileSizeAuthor
#3 user-pass-rehash-2455079-3.patch13.28 KBberdir
#3 user-pass-rehash-2455079-3-test-only.patch3.88 KBberdir

Comments

David_Rothstein’s picture

David_Rothstein commented
Issue summary: View changes
Related issues: +#2455083: Open redirect fixes from SA-CORE-2015-001 need to be ported to Drupal 8
effulgentsia’s picture

effulgentsia commented
Issue tags: +D8 upgrade path

Tagging "D8 upgrade path" as well so that we don't release a supported upgrade path beta that has publicly known security exploits.

berdir’s picture

berdir
Primary language German
Location Switzerland
commented
Status: Active » Needs review
StatusFileSize
new user-pass-rehash-2455079-3-test-only.patch3.88 KB
new user-pass-rehash-2455079-3.patch13.28 KB

Yeah, I hope nobody bet that Drupal 8 is not affected ;)

Left out the stuff about BC, I don't think we need that for 8, we need a change record for this, wondering if we can make it so that it also applies to 7.x. The API is still the same ;)

The last submitted patch, 3: user-pass-rehash-2455079-3-test-only.patch, failed testing.

berdir’s picture

berdir
Primary language German
Location Switzerland
commented

Ah, there's already https://www.drupal.org/node/2455005, great. We can update that when this is committed with 8.x code examples, already referenced the issue.

larowlan’s picture

larowlan
Location 🇦🇺🏝.au GMT+10
commented
Status: Needs review » Reviewed & tested by the community

new record

berdir’s picture

berdir
Primary language German
Location Switzerland
commented

Note: The db_update() is not pretty and won't work with MongoDB, but I don't see a way to use the API for this. @larowlan and me agreed that we shouldn't hold up a critical on this, I notified @chx and we'll try to find a solution in a follow-up or so.

klausi’s picture

klausi
he/him||they/them
Primary language German
Location 🇦🇹 Vienna
commented

+1 RTBC

Test case looks good, and I think it is important that we add the uid to the password reset HMAC, same as we did in D7. That way we avoid vulnerabilities when corrupt user data is migrated into a D8 database where password and last login timestamp are NULL.

chx’s picture

chx commented

It's a test. I already discussed with alexpott that we know that some issues #1518506: Normalize how case sensitivity is handled across database engines #2443679: PostgreSQL: Fix taxonomy\Tests\TermTest will fail on SQLite we need to add test method exclusions (I thought it'll be #301005: Add "expected fail" functionality to simpletest but after the discussion it won't be) per driver so there's no problem here.

alexpott’s picture

alexpott
he/they
Primary language English
Location 🇪🇺🌍
commented
Status: Reviewed & tested by the community » Fixed

Committed 8e54eca and pushed to 8.0.x. Thanks!

  • alexpott committed 8e54eca on 8.0.x 
    Issue #2455079 by klausi, David_Rothstein, pwolanin, benjy, Berdir:...

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.