Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Problem/Motivation
In uuid.core.inc:
if (isset($entity->pass)
&& (!('$S$D' == substr($entity->pass, 0, 4)) || preg_match('/^[a-f0-9]{32}$/', $entity->pass))) {
// Ensure user's password is hashed.
$entity->pass = user_hash_password($entity->pass);
}
we assume that user_hash_password() is defined, which can be not the case
Proposed resolution
Include password.inc if user_hash_password() is not defined.
Remaining tasks
Write the patch
User interface changes
No UI change
API changes
No API change
Data model changes
No data model change
Comment | File | Size | Author |
---|---|---|---|
#6 | 2833015-6.patch | 851 bytes | valthebald |
#2 | 2833015.patch | 527 bytes | valthebald |
Comments
Comment #2
valthebaldComment #3
skwashd CreditAttribution: skwashd at Dave Hall Consulting for Pfizer, Inc. commented@valthebald what are the circumstances where password.inc isn't already included?
Comment #4
valthebald@skwashd well, password.inc is not included during the bootstrap...
My scenario was user entities (node authors) as dependencies of deployed nodes (deploy module pushes to services module on another server)
Comment #5
valthebald@skwashd as you (writefully) mentioned in #2724323: UUID Services update user with pass saved in plain text on database, the most frequently used scenario is deploy module (site A) pushing content to services module (site B).
If user password is hashed by site A using default password.inc, user_hash_password() will not be called.
If user password comes as a clear text, function user_hash_password mush exist, so we need to include password.inc
By the way, if site uses non-default hashing algorithm, hashed password will be rehashed again, breaking user passwords
Comment #6
valthebaldInstead of using hard-coded pattern for hashed password, we can use (swappable) user_needs_new_hash():
with exception for md5()-ed D6 passwords.
Comment #7
osodani CreditAttribution: osodani commentedRan into this issue today, #6 solved it for us