Skip to content
Snippets Groups Projects
Verified Commit 4b0e8708 authored by Lee Rowlands's avatar Lee Rowlands
Browse files

Issue #2414187 by BramDriesen, cussack: User email disclosure in /user/password

parent 3981c8aa
Branches
Tags
45 merge requests!12227Issue #3181946 by jonmcl, mglaman,!54479.5.x SF update,!5014Issue #3071143: Table Render Array Example Is Incorrect,!4868Issue #1428520: Improve menu parent link selection,!4594Applying patch for Views Global Text area field to allow extra HTML tags. As video, source and iframe tag is not rendering. Due to which Media embedded video and remote-video not rendering in Views Global Text area field.,!3878Removed unused condition head title for views,!38582585169-10.1.x,!3818Issue #2140179: $entity->original gets stale between updates,!3742Issue #3328429: Create item list field formatter for displaying ordered and unordered lists,!3731Claro: role=button on status report items,!3668Resolve #3347842 "Deprecate the trusted",!3651Issue #3347736: Create new SDC component for Olivero (header-search),!3546refactored dialog.pcss file,!3531Issue #3336994: StringFormatter always displays links to entity even if the user in context does not have access,!3502Issue #3335308: Confusing behavior with FormState::setFormState and FormState::setMethod,!3478Issue #3337882: Deleted menus are not removed from content type config,!3452Issue #3332701: Refactor Claro's tablesort-indicator stylesheet,!3451Issue #2410579: Allows setting the current language programmatically.,!3355Issue #3209129: Scrolling problems when adding a block via layout builder,!3226Issue #2987537: Custom menu link entity type should not declare "bundle" entity key,!3154Fixes #2987987 - CSRF token validation broken on routes with optional parameters.,!3147Issue #3328457: Replace most substr($a, $i) where $i is negative with str_ends_with(),!3146Issue #3328456: Replace substr($a, 0, $i) with str_starts_with(),!3133core/modules/system/css/components/hidden.module.css,!31312878513-10.1.x,!2964Issue #2865710 : Dependencies from only one instance of a widget are used in display modes,!2812Issue #3312049: [Followup] Fix Drupal.Commenting.FunctionComment.MissingReturnType returns for NULL,!2614Issue #2981326: Replace non-test usages of \Drupal::logger() with IoC injection,!2378Issue #2875033: Optimize joins and table selection in SQL entity query implementation,!2334Issue #3228209: Add hasRole() method to AccountInterface,!2062Issue #3246454: Add weekly granularity to views date sort,!1591Issue #3199697: Add JSON:API Translation experimental module,!1255Issue #3238922: Refactor (if feasible) uses of the jQuery serialize function to use vanillaJS,!1105Issue #3025039: New non translatable field on translatable content throws error,!1073issue #3191727: Focus states on mobile second level navigation items fixed,!10223132456: Fix issue where views instances are emptied before an ajax request is complete,!877Issue #2708101: Default value for link text is not saved,!844Resolve #3036010 "Updaters",!673Issue #3214208: FinishResponseSubscriber could create duplicate headers,!617Issue #3043725: Provide a Entity Handler for user cancelation,!579Issue #2230909: Simple decimals fail to pass validation,!560Move callback classRemove outside of the loop,!555Issue #3202493,!485Sets the autocomplete attribute for username/password input field on login form.,!30Issue #3182188: Updates composer usage to point at ./vendor/bin/composer
Hide whitespace changes
Inline Side-by-side
core/modules/user/src/Form/UserLoginForm.php
+ 1
7
View file @ 4b0e8708
...@@ -249,13 +249,7 @@ public function validateFinal(array &$form, FormStateInterface $form_state) { ...@@ -249,13 +249,7 @@ public function validateFinal(array &$form, FormStateInterface $form_state) {
$form_state->setResponse($response); $form_state->setResponse($response);
} }
else { else {
// Use $form_state->getUserInput() in the error message to guarantee $form_state->setErrorByName('name', $this->t('Unrecognized username or password. <a href=":password">Forgot your password?</a>', [':password' => Url::fromRoute('user.pass')->toString()]));
// that we send exactly what the user typed in. The value from
// $form_state->getValue() may have been modified by validation
// handlers that ran earlier than this one.
$user_input = $form_state->getUserInput();
$query = isset($user_input['name']) ? ['name' => $user_input['name']] : [];
$form_state->setErrorByName('name', $this->t('Unrecognized username or password. <a href=":password">Forgot your password?</a>', [':password' => Url::fromRoute('user.pass', [], ['query' => $query])->toString()]));
$accounts = $this->userStorage->loadByProperties(['name' => $form_state->getValue('name')]); $accounts = $this->userStorage->loadByProperties(['name' => $form_state->getValue('name')]);
if (!empty($accounts)) { if (!empty($accounts)) {
$this->logger('user')->notice('Login attempt failed for %user.', ['%user' => $form_state->getValue('name')]); $this->logger('user')->notice('Login attempt failed for %user.', ['%user' => $form_state->getValue('name')]);
......
core/modules/user/tests/src/Functional/UserPasswordResetTest.php
+ 9
4
View file @ 4b0e8708
...@@ -371,9 +371,9 @@ public function testUserPasswordResetLoggedIn() { ...@@ -371,9 +371,9 @@ public function testUserPasswordResetLoggedIn() {
} }
/** /**
* Prefill the text box on incorrect login via link to password reset page. * Tests the text box on incorrect login via link to password reset page.
*/ */
public function testUserResetPasswordTextboxFilled() { public function testUserResetPasswordTextboxNotFilled() {
$this->drupalGet('user/login'); $this->drupalGet('user/login');
$edit = [ $edit = [
'name' => $this->randomMachineName(), 'name' => $this->randomMachineName(),
...@@ -383,11 +383,16 @@ public function testUserResetPasswordTextboxFilled() { ...@@ -383,11 +383,16 @@ public function testUserResetPasswordTextboxFilled() {
$this->submitForm($edit, 'Log in'); $this->submitForm($edit, 'Log in');
$this->assertSession()->pageTextContains("Unrecognized username or password. Forgot your password?"); $this->assertSession()->pageTextContains("Unrecognized username or password. Forgot your password?");
$this->assertSession()->linkExists("Forgot your password?"); $this->assertSession()->linkExists("Forgot your password?");
$this->assertSession()->linkByHrefExists(Url::fromRoute('user.pass', [], ['query' => ['name' => $edit['name']]])->toString()); // Verify we don't pass the username as a query parameter.
$this->assertSession()->linkByHrefNotExists(Url::fromRoute('user.pass', [], ['query' => ['name' => $edit['name']]])->toString());
$this->assertSession()->linkByHrefExists(Url::fromRoute('user.pass')->toString());
unset($edit['pass']); unset($edit['pass']);
// Verify the field is empty by default.
$this->drupalGet('user/password');
$this->assertSession()->fieldValueEquals('name', '');
// Ensure the name field value is not cached.
$this->drupalGet('user/password', ['query' => ['name' => $edit['name']]]); $this->drupalGet('user/password', ['query' => ['name' => $edit['name']]]);
$this->assertSession()->fieldValueEquals('name', $edit['name']); $this->assertSession()->fieldValueEquals('name', $edit['name']);
// Ensure the name field value is not cached.
$this->drupalGet('user/password'); $this->drupalGet('user/password');
$this->assertSession()->fieldValueNotEquals('name', $edit['name']); $this->assertSession()->fieldValueNotEquals('name', $edit['name']);
} }
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment