-
Notifications
You must be signed in to change notification settings - Fork 38
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Security] Fixed: Strengthen one-time login links. #6420
Comments
This looks great @herbdool! |
Any clear guidance on testing this issue? Does this make UI changes or is a background thing? |
The respective Drupal issues are either bugs or tasks, so not sure that this is a new feature request. It does need a change record though (same as the one released for D7.100: https://www.drupal.org/node/3409960), so OK if only targeted for 1.28.0 I guess. |
@stpaultim you can test it by seeing if changing an email address will expire a one time login for that user. Let me expand. First create a one time login link for a user. Then in a private window use that URL. The user should be logged in. Log out. Then create a second one time login link for that user. But before using the URL, change the email address for that user. Then go to the URL in a private window. This time the URL should not work; it should be expired. |
I don't see a good reason why this would need to be in a minor release. As a security-hardening, I think this should be allowed in any bug-fix release as well. |
Code looks good to me, still needs manual testing. (Failed to test on the sandbox since it won't sent pw reset emails --- needs local testing) |
I verified this does not affect existing password-reset tokens or This all looks good to me! |
By @herbdool, @quicksketch, @stpaultim, @jenlampton, and @klonos. Port of Drupal issue #3409043 by poker10, catch, Fabianx, pwolanin, rvtraveller.
By @herbdool, @quicksketch, @stpaultim, @jenlampton, and @klonos. Port of Drupal issue #3409043 by poker10, catch, Fabianx, pwolanin, rvtraveller.
Merged backdrop/backdrop#4673 into 1.x and 1.27.x. Thanks @herbdool, @stpaultim, and @jenlampton! |
Reopening this in order to create a change record. Assigning it to me as well. I'll prepare a draft soon as I get a chance. |
Change record created here: https://docs.backdropcms.org/change-records/user-password-reset-links-strengthened |
This will address two Drupal 7 improvements:
In https://www.drupal.org/project/drupal/issues/3306390:
From Drupal 7.100: https://www.drupal.org/node/3409960, https://www.drupal.org/node/3409043 (backport from Drupal 10):
The text was updated successfully, but these errors were encountered: