Because the regular PHP inequality check is used on passwords, passwords which are numerically equivalent are accepted as the same.

On the edit user page, enter 99999.0 and 99999

The javascript will say they do not match, but submitting the form results in the message "The changes have been saved", and indeed they have.

Discovered on 6.10, confirmed that it exists in 7.x dev and probably all other versions of Drupal.

Presumably the solution is to replace the comparator in form.inc.

Change this:

function password_confirm_validate($form, &$form_state) {
...
    if ($pass1 != $pass2) {
      form_error($form, t('The specified passwords do not match.'));
    }

with this:

function password_confirm_validate($form, &$form_state) {
...
    if (!($pass1 === $pass2)) {
      form_error($form, t('The specified passwords do not match.'));
    }
CommentFileSizeAuthor
#10 password_strcmp-D6.patch639 bytesalexanderpas
#7 398902_password_confirm_validate_2.patch2.29 KBkscheirer
#3 398902_password_confirm_validate.patch2.29 KBkscheirer
#2 password_confirm_validate-398902-D6.patch792 bytesalexanderpas

Comments

alexanderpas’s picture

alexanderpas commented
Assigned: Unassigned » alexanderpas

afaics that is indeed the issue there.

alexanderpas’s picture

alexanderpas commented
Status: Active » Needs work
StatusFileSize
new password_confirm_validate-398902-D6.patch792 bytes

code for 6.x and also for 7.x but missing textcase ;)

Pondering on where to place the testcase for 7.x
any insights?

kscheirer’s picture

kscheirer
Primary language English
Location Vallejo
commented
Status: Needs work » Needs review
StatusFileSize
new 398902_password_confirm_validate.patch2.29 KB

good catch!

rerolled patch against HEAD, and added a test case in user.test that attempts to save the type-mismatched passwords.

kscheirer’s picture

kscheirer
Primary language English
Location Vallejo
commented
Title: Non-matching passwords may be "successfully" submitted if they are numeric » passwords are not type-checked

better title

lilou’s picture

lilou commented
Issue tags: +Needs backport to D6

Patch look good.

deekayen’s picture

deekayen commented
Status: Needs review » Needs work

I think more accurately what you're looking for is that the string values are the same, not necessarily that the variables are of the same type. How about strcmp()?

if (strcmp($pass1, $pass2) != 0) {
kscheirer’s picture

kscheirer
Primary language English
Location Vallejo
commented
Assigned: alexanderpas » kscheirer
Status: Needs work » Needs review
StatusFileSize
new 398902_password_confirm_validate_2.patch2.29 KB

Personally I find !== a little clearer to read, but overall there's no big difference, since this block of code gets so rarely executed. Here ya go with strcmp()...

alexanderpas’s picture

alexanderpas commented
Status: Needs review » Reviewed & tested by the community

I also think strcmp() is more accurate, i'm in favor of it!

webchick’s picture

webchick
she/they
Primary language English
Location Vancouver 🇨🇦
commented
Version: 7.x-dev » 6.x-dev
Status: Reviewed & tested by the community » Patch (to be ported)

Wow, what a silly bug! And a test case! Hooray! :D

I agree strcmp() seems safer here just in case your password is something truly crazy.

Committed to HEAD. We should probably port this to 6.x too, methinks.

alexanderpas’s picture

alexanderpas commented
Assigned: kscheirer » alexanderpas
Status: Patch (to be ported) » Needs review
StatusFileSize
new password_strcmp-D6.patch639 bytes

port for D6 ;)

andypost’s picture

andypost
he/him
Primary language Russian
commented
Status: Needs review » Reviewed & tested by the community

Applies clean so as straight forward

gábor hojtsy’s picture

gábor hojtsy
he/him
Primary language Hungarian
Location Hungary
commented
Status: Reviewed & tested by the community » Fixed

Committed to Drupal 6, thanks.

Status: Fixed » Closed (fixed)
Issue tags: -Needs backport to D6

Automatically closed -- issue fixed for 2 weeks with no activity.

Issue tags: +Needs backport to D6

Restoring issue tags, see #2125755: System messages removed all issue tags during D7 upgrade.