Under php5 with Drupal 5.0, an open_basedir restriction occurs.

There is an incorrectly written include:

include 'persistent_login_debug.inc';

which should be

include_once(drupal_get_path('module', 'persistent_login') .'/persistent_login_debug.inc');

A patch is attached if someone wants to check it and commit it - AFAIK there are no problems with retrograding etc by adding this code to 4.7 and 5.0 branches.

CommentFileSizeAuthor
persistent_login.module.patch150 bytesniklp

Comments

bjaspan’s picture

Status: Needs review » Fixed

Fixed in 4.7 and 5. I applied the patch but then also just commented out the include_once as non-developers should never use the debug blocked provided by that code; it is a huge security hole if enabled.

niklp’s picture

Thanks - I wasn't clear what you meant about the potential security risk though? Can you clarify this for future reference?

bjaspan’s picture

The file persistent_login_debug.inc provides a Drupal block that includes debugging information for PL but also completely compromises the security of the system. I commented out the inclusion of that file so that no one can accidentally enable the block.

bjaspan’s picture

Status: Fixed » Closed (fixed)