Check that user_hash_password() is defined [#2833015]

Problem/Motivation

In uuid.core.inc:

  if (isset($entity->pass)
    && (!('$S$D' == substr($entity->pass, 0, 4)) || preg_match('/^[a-f0-9]{32}$/', $entity->pass))) {
    // Ensure user's password is hashed.
    $entity->pass = user_hash_password($entity->pass);
  }

we assume that user_hash_password() is defined, which can be not the case

Proposed resolution

Include password.inc if user_hash_password() is not defined.

Remaining tasks

~~Write the patch~~

User interface changes

No UI change

API changes

No API change

Data model changes

No data model change

Comment	File	Size	Author
#6	2833015-6.patch	851 bytes	valthebald
#6	7.x-1.x: PHP 5.4 & MySQL 5.5, D7 17 pass PHP 5.5 & MySQL 5.5, D7 17 pass PHP 5.6 & MySQL 5.5, D7 17 pass PHP 7 & MySQL 5.5, D7 17 pass
#2	2833015.patch	527 bytes	valthebald
#2	7.x-1.x: PHP 5.4 & MySQL 5.5, D7 17 pass PHP 5.5 & MySQL 5.5, D7 17 pass PHP 5.6 & MySQL 5.5, D7 17 pass PHP 7 & MySQL 5.5, D7 17 pass

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

Comment #1

5 December 2016 at 07:56

valthebald created an issue. See original summary.

Comment #2

valthebald

Sofia

CreditAttribution: valthebald as a volunteer commented 5 December 2016 at 08:00

Issue summary:	View changes
Status:	Active	» Needs review

File	Size
2833015.patch	527 bytes
7.x-1.x: PHP 5.4 & MySQL 5.5, D7 17 pass PHP 5.5 & MySQL 5.5, D7 17 pass PHP 5.6 & MySQL 5.5, D7 17 pass PHP 7 & MySQL 5.5, D7 17 pass

Comment #3

skwashd CreditAttribution: skwashd at Dave Hall Consulting for Pfizer, Inc. commented 11 December 2016 at 14:57

Status:

Needs review

» Postponed (maintainer needs more info)

@valthebald what are the circumstances where password.inc isn't already included?

Comment #4

valthebald

Sofia

CreditAttribution: valthebald as a volunteer commented 12 December 2016 at 07:21

@skwashd well, password.inc is not included during the bootstrap...
My scenario was user entities (node authors) as dependencies of deployed nodes (deploy module pushes to services module on another server)

Comment #5

valthebald

Sofia

CreditAttribution: valthebald as a volunteer commented 14 December 2016 at 18:34

Status:	Postponed (maintainer needs more info)	» Needs work
Related issues:		+#2724323: UUID Services update user with pass saved in plain text on database

  if (isset($entity->pass)
    && (!('$S$D' == substr($entity->pass, 0, 4)) || preg_match('/^[a-f0-9]{32}$/', $entity->pass))) {
    // Ensure user's password is hashed.
    $entity->pass = user_hash_password($entity->pass);
  }

@skwashd as you (writefully) mentioned in #2724323: UUID Services update user with pass saved in plain text on database, the most frequently used scenario is deploy module (site A) pushing content to services module (site B).

If user password is hashed by site A using default password.inc, user_hash_password() will not be called.

If user password comes as a clear text, function user_hash_password mush exist, so we need to include password.inc

By the way, if site uses non-default hashing algorithm, hashed password will be rehashed again, breaking user passwords

Comment #6

valthebald

Sofia

CreditAttribution: valthebald as a volunteer commented 14 December 2016 at 19:15

Status:

Needs work

» Needs review

File	Size
2833015-6.patch	851 bytes
7.x-1.x: PHP 5.4 & MySQL 5.5, D7 17 pass PHP 5.5 & MySQL 5.5, D7 17 pass PHP 5.6 & MySQL 5.5, D7 17 pass PHP 7 & MySQL 5.5, D7 17 pass

Instead of using hard-coded pattern for hashed password, we can use (swappable) user_needs_new_hash():

  if (isset($entity->pass) && !preg_match('/^[a-f0-9]{32}$/', $entity->pass)) {
    require_once DRUPAL_ROOT . '/' . variable_get('password_inc', 'includes/password.inc');
    if (user_needs_new_hash($entity)) {
      $entity->pass = user_hash_password($entity->pass);
    }
  }

with exception for md5()-ed D6 passwords.