Link to user homepage contain a password
kenorb - February 25, 2009 - 12:53
| Project: | Email Registration |
| Version: | 6.x-1.x-dev |
| Component: | Code |
| Category: | bug report |
| Priority: | normal |
| Assigned: | Unassigned |
| Status: | reviewed & tested by the community |
Description
Link to user homepage contain a password.
Like: http://example.com/uzsbgcwfby
This line (50) in email_registration.module:
<?php
$form['name']['#value'] = user_password();
?>making HTML object:
<input id="edit-name" type="hidden" value="dW5dRTJmv3" name="name"/>with contain password.
Normally this value should be empty.
After that this value is passed into user.module which executing this query:
INSERT INTO users (name, mail, pass, status, timezone, init, created, access) VALUES ('UzSbGcWFBY', ...,
#1
Ok, I found that username is replaced in email_registration_user(). But still don't understand why this alias in my case still contain the password.Watchdog record:
Message New user: 4wRAJ48YD6 (kenorb4@test.pl).Severity notice
Hostname 127.0.0.1
Operations edit
Using: logintoboggan, genpass, pathauto
Issue is related to this one:
#254422: Using old data for tokens
#2
Maybe because I'm using pathauto, which have default alias for users: [user-raw] and its weight is before email_registration?No.
#3
It's because email_registration updated the name directly into database without updating current object which can be use by other modules and it's inconsistent.
Apart of patch, you should change weight of the email_registration to 0 (before autopath which has 1).
#316737: pathauto_user token data is inconsistent
Or just delete .install file (where there is nothing) and reinstall the module.
1st should be module which replacing the username, 2nd should be token, and 3rd one should be pathauto.
#4
Re-uploaded cleaner version of patch.
#5
Marked: #321473: Module weight & other modules that interact with 'insert' in hook_user as duplicate.
#6
This is the patch for weight, it require update (see #3).
You don't need to use this patch for .install file if you will delete your .install file and reinstall the module.
This patch should be combined with #4.
I don't see any reason that email_registration weight should be 10, instead of 0.
#7
I can confirm that using patches in comments #4 and #6 work.
I'm using this in combination with AAR, subdomain, pathauto and content_profile on D6.9 - and all is well.
Great work. thank you!
#8
Is this going in the DEV branch?
#9
Committed to 6.x.1.x-dev
Please test, especially the weight change. IIRC this was added back in 5.x to fix this same issue?
I'm not closing this issue just yet.
#10
With the latest dev I can still see a report like this in the watchdog
"New user: 2wcbWdmbSu (sdaniel@wobster.net)."
2wcbWdmbSu ist not the password - what is it?
Anyhow the dev works besides that.