Closed (fixed)
Project:
Persistent Login
Version:
5.x-1.0
Component:
Code
Priority:
Normal
Category:
Bug report
Assigned:
Reporter:
Created:
29 Jan 2007 at 15:58 UTC
Updated:
20 Feb 2007 at 04:59 UTC
Under php5 with Drupal 5.0, an open_basedir restriction occurs.
There is an incorrectly written include:
include 'persistent_login_debug.inc';
which should be
include_once(drupal_get_path('module', 'persistent_login') .'/persistent_login_debug.inc');
A patch is attached if someone wants to check it and commit it - AFAIK there are no problems with retrograding etc by adding this code to 4.7 and 5.0 branches.
| Comment | File | Size | Author |
|---|---|---|---|
| persistent_login.module.patch | 150 bytes | niklp |
Comments
Comment #1
bjaspan commentedFixed in 4.7 and 5. I applied the patch but then also just commented out the include_once as non-developers should never use the debug blocked provided by that code; it is a huge security hole if enabled.
Comment #2
niklp commentedThanks - I wasn't clear what you meant about the potential security risk though? Can you clarify this for future reference?
Comment #3
bjaspan commentedThe file persistent_login_debug.inc provides a Drupal block that includes debugging information for PL but also completely compromises the security of the system. I commented out the inclusion of that file so that no one can accidentally enable the block.
Comment #4
bjaspan commented