Drupal 7 core security update 7.35 introduced a change to the password rehashing adds an extra uid argument to the function user_pass_rehash which is used by logintoboggan_eml_rehash and generates a different password hash to what Core now produces. This results in a hashing failure and results in the message

confirmation link has expired

when logintobboggan is used to handle email validation for the purpose of removing a temporary role and granting a more privilaged role.

The end result is that users cannot confirm their email address and are unable to promote their user accounts to a more functional role.

I've attached a patch which fixes this issue.

CommentFileSizeAuthor
7116-logintoboggan_eml_rehash.patch1.96 KBscott.whittaker
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

EternalLight’s picture

EternalLight CreditAttribution: EternalLight commented

Just been doing the same thing and was about to post the same patch :)
Good job!

peezy’s picture

peezy CreditAttribution: peezy commented
Status: Active » Reviewed & tested by the community

The patch worked great... thanks!

hosais’s picture

hosais CreditAttribution: hosais commented

Thank you for the patch!

I noticed that https://www.drupal.org/node/2455049 and this patch are the same code. Is that right the same code for both of 7.x-1.4 and 7.x-1.dev?

antiorario’s picture

antiorario CreditAttribution: antiorario commented
Status: Reviewed & tested by the community » Closed (duplicate)
Related issues: +#2455049: Various one-time-login and validation links don't work with Drupal 6.35+

See #2455049: Various one-time-login and validation links don't work with Drupal 6.35+ and download the current 7.x-1.x-dev.