Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
When you synchronise user from Drupal to LDAP with password, the password gets sanitized by check_plain()
so hello&world
becomes hello&world
.
Patch follows.
Comment | File | Size | Author |
---|---|---|---|
#2 | password_sanitized-2463755-2.patch | 792 bytes | haggins |
Comments
Comment #1
haggins CreditAttribution: haggins commentedComment #2
haggins CreditAttribution: haggins commentedComment #3
haggins CreditAttribution: haggins commentedThis issue still exists in Beta 11, 15 months after patch contribution. The patch still applies.
Could you please review and commit it?
Comment #4
nullkernel CreditAttribution: nullkernel commentedThe patch works for me. It took me a little bit of time to reproduce the issue, since Drupal's user table has the password changed too.
When using Drupal's password change form, a password like
hello&world
will be stored (correctly) in the users table. So you are able to log in to Drupal with that password since the account is not actually authenticated against LDAP. However the LDAP server has the password incorrectly set tohello&world
.I was able to reproduce the problem by:
1. Start with a user account has a password with no special characters (e.g.
password
)2. Query the DB for the user's current password hash. (e.g.
SELECT name, pass FROM users WHERE name = 'testaccount';
).3. Use Drupal to change the user's password to
hello&world
.4. Overwrite pass in the users table with the hash returned by the earlier query (e.g.
UPDATE users SET pass = '$S$DpNJh0AGbCGVOr.k/hklTshd6FRjMJg5FTJsd3kjbBHJM' WHERE name = 'testaccount';
)5. Attempt to log in to the user account by entering the password as
hello&world
. It will fail (because this patch is not applied).6. Attempt to log in to the user account by entering the password as
hello&world
. You will be successfully authenticated by the LDAP server and logged in.Applying the patch and going through these steps results in
hello&world
working. I also used my debugger to inspect variables and could see thehello&world
value before this patch (andhello&world
after this patch).I think that the change made by the patch should be fine. The check_plain function is generally useful for preventing XSS vulnerabilities. In this case however, I can think of no reason to process a password attribute with check_plain. Once the password is saved by the LDAP server, it would never be printed within HTML (or even directly retrievable).
In my opinion, this patch looks good. Changing status to RTBC.
Edit: Used code tags for formatting so that html entities I wrote are displayed as intended.
Comment #5
haggins CreditAttribution: haggins commentedThank you @nullkernel for your testing efforts!
Another method to reproduce it, is to set the password in Drupal to "hello&world" and then trying to login into another (non drupal) application that uses the same LDAP. It won't work until one applies this patch.
Comment #7
grahlThanks for testing & reviewing, patch looks fine. I would have liked to sanitize this more but pushing it as-is for a password should be safe since we never see the original again.