Sometime after changing the password of a test user via the "edit account" link in the user block, I noticed that its new password was saved as cleartext in the users.data field:

a:3:{s:5:"pass1";s:5:"t35t1";s:5:"pass2";s:5:"t35t1";s:5:"block";a:0:{}}

This is probably a mistake of not calling unset($something['pass1']); unset($something['pass2']); somewhere, but I haven't figured out where.

(I probably don't have to mention that there's not much use in going through the trouble of using a one-way password hash if it's stored in cleartext elsewhere....)

Only local images are allowed.

Comments

moshe weitzman’s picture

moshe weitzman commented

do you have ldap_integration.module installed by chance? if you do, and you don't have access to the mcrypt module, then this is expected behavior. this is documented in the Help.

i suggest trying to duplicate this is a stock drupal environment. the _user hook lets modules insert all sorts of things in the data column.

matt-1’s picture

matt-1 commented

Nope, no ldap_integration.module...some other one? Seems kind of silly for any module to store a cleartext password there though....

Anonymous’s picture

(not verified) commented
Assigned: Unassigned » dries

Fixed in CVS.