core security update
This commit is contained in:
Bachir Soussi Chiadmi
@@ -418,13 +418,11 @@ function user_load_by_name($name) {
|
||||
*
|
||||
* @return
|
||||
* A fully-loaded $user object upon successful save or FALSE if the save failed.
|
||||
*
|
||||
* @todo D8: Drop $edit and fix user_save() to be consistent with others.
|
||||
*/
|
||||
function user_save($account, $edit = array(), $category = 'account') {
|
||||
$transaction = db_transaction();
|
||||
try {
|
||||
if (!empty($edit['pass'])) {
|
||||
if (isset($edit['pass']) && strlen(trim($edit['pass'])) > 0) {
|
||||
// Allow alternate password hashing schemes.
|
||||
require_once DRUPAL_ROOT . '/' . variable_get('password_inc', 'includes/password.inc');
|
||||
$edit['pass'] = user_hash_password(trim($edit['pass']));
|
||||
@@ -791,7 +789,7 @@ function user_role_permissions($roles = array()) {
|
||||
* (optional) The account to check, if not given use currently logged in user.
|
||||
*
|
||||
* @return
|
||||
* Boolean TRUE if the current user has the requested permission.
|
||||
* Boolean TRUE if the user has the requested permission.
|
||||
*
|
||||
* All permission checks in Drupal should go through this function. This
|
||||
* way, we guarantee consistent behavior, and ensure that the superuser
|
||||
@@ -958,6 +956,8 @@ function user_search_access() {
|
||||
*/
|
||||
function user_search_execute($keys = NULL, $conditions = NULL) {
|
||||
$find = array();
|
||||
// Escape for LIKE matching.
|
||||
$keys = db_like($keys);
|
||||
// Replace wildcards with MySQL/PostgreSQL wildcards.
|
||||
$keys = preg_replace('!\*+!', '%', $keys);
|
||||
$query = db_select('users')->extend('PagerDefault');
|
||||
@@ -967,13 +967,13 @@ function user_search_execute($keys = NULL, $conditions = NULL) {
|
||||
// and they don't need to be restricted to only active users.
|
||||
$query->fields('users', array('mail'));
|
||||
$query->condition(db_or()->
|
||||
condition('name', '%' . db_like($keys) . '%', 'LIKE')->
|
||||
condition('mail', '%' . db_like($keys) . '%', 'LIKE'));
|
||||
condition('name', '%' . $keys . '%', 'LIKE')->
|
||||
condition('mail', '%' . $keys . '%', 'LIKE'));
|
||||
}
|
||||
else {
|
||||
// Regular users can only search via usernames, and we do not show them
|
||||
// blocked accounts.
|
||||
$query->condition('name', '%' . db_like($keys) . '%', 'LIKE')
|
||||
$query->condition('name', '%' . $keys . '%', 'LIKE')
|
||||
->condition('status', 1);
|
||||
}
|
||||
$uids = $query
|
||||
@@ -1160,7 +1160,7 @@ function user_account_form(&$form, &$form_state) {
|
||||
$form['account']['roles'] = array(
|
||||
'#type' => 'checkboxes',
|
||||
'#title' => t('Roles'),
|
||||
'#default_value' => (!$register && isset($account->roles) ? array_keys($account->roles) : array()),
|
||||
'#default_value' => (!$register && !empty($account->roles) ? array_keys(array_filter($account->roles)) : array()),
|
||||
'#options' => $roles,
|
||||
'#access' => $roles && user_access('administer permissions'),
|
||||
DRUPAL_AUTHENTICATED_RID => $checkbox_authenticated,
|
||||
@@ -1230,7 +1230,7 @@ function user_validate_current_pass(&$form, &$form_state) {
|
||||
// that prevent them from being empty if they are changed.
|
||||
if ((strlen(trim($form_state['values'][$key])) > 0) && ($form_state['values'][$key] != $account->$key)) {
|
||||
require_once DRUPAL_ROOT . '/' . variable_get('password_inc', 'includes/password.inc');
|
||||
$current_pass_failed = empty($form_state['values']['current_pass']) || !user_check_password($form_state['values']['current_pass'], $account);
|
||||
$current_pass_failed = strlen(trim($form_state['values']['current_pass'])) == 0 || !user_check_password($form_state['values']['current_pass'], $account);
|
||||
if ($current_pass_failed) {
|
||||
form_set_error('current_pass', t("Your current password is missing or incorrect; it's required to change the %name.", array('%name' => $name)));
|
||||
form_set_error($key);
|
||||
@@ -1306,10 +1306,12 @@ function user_user_presave(&$edit, $account, $category) {
|
||||
elseif (!empty($edit['picture_delete'])) {
|
||||
$edit['picture'] = NULL;
|
||||
}
|
||||
// Prepare user roles.
|
||||
if (isset($edit['roles'])) {
|
||||
$edit['roles'] = array_filter($edit['roles']);
|
||||
}
|
||||
}
|
||||
|
||||
// Filter out roles with empty values to avoid granting extra roles when
|
||||
// processing custom form submissions.
|
||||
if (isset($edit['roles'])) {
|
||||
$edit['roles'] = array_filter($edit['roles']);
|
||||
}
|
||||
|
||||
// Move account cancellation information into $user->data.
|
||||
@@ -1751,9 +1753,11 @@ function user_menu() {
|
||||
|
||||
$items['admin/people/create'] = array(
|
||||
'title' => 'Add user',
|
||||
'page callback' => 'user_admin',
|
||||
'page arguments' => array('create'),
|
||||
'access arguments' => array('administer users'),
|
||||
'type' => MENU_LOCAL_ACTION,
|
||||
'file' => 'user.admin.inc',
|
||||
);
|
||||
|
||||
// Administration pages.
|
||||
@@ -1911,13 +1915,13 @@ function user_menu_link_alter(&$link) {
|
||||
// for authenticated users. Authenticated users should see "My account", but
|
||||
// anonymous users should not see it at all. Therefore, invoke
|
||||
// user_translated_menu_link_alter() to conditionally hide the link.
|
||||
if ($link['link_path'] == 'user' && $link['module'] == 'system') {
|
||||
if ($link['link_path'] == 'user' && isset($link['module']) && $link['module'] == 'system') {
|
||||
$link['options']['alter'] = TRUE;
|
||||
}
|
||||
|
||||
// Force the Logout link to appear on the top-level of 'user-menu' menu by
|
||||
// default (i.e., unless it has been customized).
|
||||
if ($link['link_path'] == 'user/logout' && $link['module'] == 'system' && empty($link['customized'])) {
|
||||
if ($link['link_path'] == 'user/logout' && isset($link['module']) && $link['module'] == 'system' && empty($link['customized'])) {
|
||||
$link['plid'] = 0;
|
||||
}
|
||||
}
|
||||
@@ -2161,7 +2165,7 @@ function user_login_name_validate($form, &$form_state) {
|
||||
*/
|
||||
function user_login_authenticate_validate($form, &$form_state) {
|
||||
$password = trim($form_state['values']['pass']);
|
||||
if (!empty($form_state['values']['name']) && !empty($password)) {
|
||||
if (!empty($form_state['values']['name']) && strlen(trim($password)) > 0) {
|
||||
// Do not allow any login from the current user's IP if the limit has been
|
||||
// reached. Default is 50 failed attempts allowed in one hour. This is
|
||||
// independent of the per-user limit to catch attempts from one IP to log
|
||||
@@ -2225,7 +2229,11 @@ function user_login_final_validate($form, &$form_state) {
|
||||
}
|
||||
}
|
||||
else {
|
||||
form_set_error('name', t('Sorry, unrecognized username or password. <a href="@password">Have you forgotten your password?</a>', array('@password' => url('user/password', array('query' => array('name' => $form_state['values']['name']))))));
|
||||
// Use $form_state['input']['name'] here to guarantee that we send
|
||||
// exactly what the user typed in. $form_state['values']['name'] may have
|
||||
// been modified by validation handlers that ran earlier than this one.
|
||||
$query = isset($form_state['input']['name']) ? array('name' => $form_state['input']['name']) : array();
|
||||
form_set_error('name', t('Sorry, unrecognized username or password. <a href="@password">Have you forgotten your password?</a>', array('@password' => url('user/password', array('query' => $query)))));
|
||||
watchdog('user', 'Login attempt failed for %user.', array('%user' => $form_state['values']['name']));
|
||||
}
|
||||
}
|
||||
@@ -2248,7 +2256,7 @@ function user_login_final_validate($form, &$form_state) {
|
||||
*/
|
||||
function user_authenticate($name, $password) {
|
||||
$uid = FALSE;
|
||||
if (!empty($name) && !empty($password)) {
|
||||
if (!empty($name) && strlen(trim($password)) > 0) {
|
||||
$account = user_load_by_name($name);
|
||||
if ($account) {
|
||||
// Allow alternate password hashing schemes.
|
||||
@@ -2488,7 +2496,9 @@ function user_cancel($edit, $uid, $method) {
|
||||
}
|
||||
|
||||
/**
|
||||
* Last batch processing step for cancelling a user account.
|
||||
* Implements callback_batch_operation().
|
||||
*
|
||||
* Last step for cancelling a user account.
|
||||
*
|
||||
* Since batch and session API require a valid user account, the actual
|
||||
* cancellation of a user account needs to happen last.
|
||||
@@ -2536,6 +2546,8 @@ function _user_cancel($edit, $account, $method) {
|
||||
}
|
||||
|
||||
/**
|
||||
* Implements callback_batch_finished().
|
||||
*
|
||||
* Finished batch processing callback for cancelling a user account.
|
||||
*
|
||||
* @see user_cancel()
|
||||
@@ -3039,6 +3051,11 @@ function user_role_delete($role) {
|
||||
$role = user_role_load_by_name($role);
|
||||
}
|
||||
|
||||
// If this is the administrator role, delete the user_admin_role variable.
|
||||
if ($role->rid == variable_get('user_admin_role')) {
|
||||
variable_del('user_admin_role');
|
||||
}
|
||||
|
||||
db_delete('role')
|
||||
->condition('rid', $role->rid)
|
||||
->execute();
|
||||
@@ -3654,12 +3671,7 @@ function user_form_process_password_confirm($element) {
|
||||
);
|
||||
|
||||
$element['#attached']['js'][] = drupal_get_path('module', 'user') . '/user.js';
|
||||
// Ensure settings are only added once per page.
|
||||
static $already_added = FALSE;
|
||||
if (!$already_added) {
|
||||
$already_added = TRUE;
|
||||
$element['#attached']['js'][] = array('data' => $js_settings, 'type' => 'setting');
|
||||
}
|
||||
$element['#attached']['js'][] = array('data' => $js_settings, 'type' => 'setting');
|
||||
|
||||
return $element;
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user