Verified Commit 4b0e8708 authored by Lee Rowlands's avatar Lee Rowlands
Browse files

Issue #2414187 by BramDriesen, cussack: User email disclosure in /user/password

parent 3981c8aa

core/modules/user/src/Form/UserLoginForm.php

+1 −7
Original line number Diff line number Diff line
@@ -249,13 +249,7 @@ public function validateFinal(array &$form, FormStateInterface $form_state) { 
        $form_state->setResponse($response);

      }

      else {

        // Use $form_state->getUserInput() in the error message to guarantee

        // that we send exactly what the user typed in. The value from

        // $form_state->getValue() may have been modified by validation

        // handlers that ran earlier than this one.

        $user_input = $form_state->getUserInput();

        $query = isset($user_input['name']) ? ['name' => $user_input['name']] : [];

        $form_state->setErrorByName('name', $this->t('Unrecognized username or password. <a href=":password">Forgot your password?</a>', [':password' => Url::fromRoute('user.pass', [], ['query' => $query])->toString()]));

        $form_state->setErrorByName('name', $this->t('Unrecognized username or password. <a href=":password">Forgot your password?</a>', [':password' => Url::fromRoute('user.pass')->toString()]));

        $accounts = $this->userStorage->loadByProperties(['name' => $form_state->getValue('name')]);

        if (!empty($accounts)) {

          $this->logger('user')->notice('Login attempt failed for %user.', ['%user' => $form_state->getValue('name')]);

core/modules/user/tests/src/Functional/UserPasswordResetTest.php

+9 −4
Original line number Diff line number Diff line
@@ -371,9 +371,9 @@ public function testUserPasswordResetLoggedIn() { 
  }



  /**

   * Prefill the text box on incorrect login via link to password reset page.

   * Tests the text box on incorrect login via link to password reset page.

   */

  public function testUserResetPasswordTextboxFilled() {

  public function testUserResetPasswordTextboxNotFilled() {

    $this->drupalGet('user/login');

    $edit = [

      'name' => $this->randomMachineName(),
@@ -383,11 +383,16 @@ public function testUserResetPasswordTextboxFilled() { 
    $this->submitForm($edit, 'Log in');

    $this->assertSession()->pageTextContains("Unrecognized username or password. Forgot your password?");

    $this->assertSession()->linkExists("Forgot your password?");

    $this->assertSession()->linkByHrefExists(Url::fromRoute('user.pass', [], ['query' => ['name' => $edit['name']]])->toString());

    // Verify we don't pass the username as a query parameter.

    $this->assertSession()->linkByHrefNotExists(Url::fromRoute('user.pass', [], ['query' => ['name' => $edit['name']]])->toString());

    $this->assertSession()->linkByHrefExists(Url::fromRoute('user.pass')->toString());

    unset($edit['pass']);

    // Verify the field is empty by default.

    $this->drupalGet('user/password');

    $this->assertSession()->fieldValueEquals('name', '');

    // Ensure the name field value is not cached.

    $this->drupalGet('user/password', ['query' => ['name' => $edit['name']]]);

    $this->assertSession()->fieldValueEquals('name', $edit['name']);

    // Ensure the name field value is not cached.

    $this->drupalGet('user/password');

    $this->assertSession()->fieldValueNotEquals('name', $edit['name']);

  }