Issue #1982606 by dstol: Added Routine user error can lead to plaintext passwords in the database.

3d1da5ab · catch · 59244c71 · 3d1da5ab
Commit 3d1da5ab authored May 05, 2013 by catch
Hide whitespace changes
Inline Side-by-side

Showing with 8 additions and 1 deletion

core/modules/user/user.module core/modules/user/user.module +8 -1

No files found.
--- a/core/modules/user/user.module
+++ b/core/modules/user/user.module
@@ -1369,7 +1369,14 @@ function user_login_final_validate($form, &$form_state) {
    }
    else {
      form_set_error('name', t('Sorry, unrecognized username or password. <a href="@password">Have you forgotten your password?</a>', array('@password' => url('user/password', array('query' => array('name' => $form_state['values']['name']))))));
-      watchdog('user', 'Login attempt failed for %user.', array('%user' => $form_state['values']['name']));
+      if (user_load_by_name($form_state['values']['name'])) {
+        watchdog('user', 'Login attempt failed for %user.', array('%user' => $form_state['values']['name']));
+      }
+      else {
+        // If the username entered is not a valid user,
+        // only store the IP address.
+        watchdog('user', 'Login attempt failed from %ip.', array('%ip' => Drupal::request()->getClientIp()));
+      }
    }
  }
  elseif (isset($form_state['flood_control_user_identifier'])) {