Closed (fixed)
Project:
Email Verify
Version:
6.x-1.x-dev
Component:
Code
Priority:
Critical
Category:
Bug report
Assigned:
Reporter:
Created:
10 Apr 2009 at 21:09 UTC
Updated:
11 May 2009 at 14:20 UTC
There is a syntax error in email_verify.check.inc on line 28.
In addition, the access permissions on email_verify page pose a real security/privacy risk since anyone with view access content permission (everyone) can view all other user email addresses. The path should be set to:
admin/users/users/email_verify
and the access arguments should be set to:
administer users
Attached is patch which fixes this (patched against 6.x-1.x-dev 2009-Mar-19).
| Comment | File | Size | Author |
|---|---|---|---|
| email_verify-admin-users.patch | 954 bytes | john.money |
Comments
Comment #1
dbr commentedThanks for the fixes.
I never documented the verify function, so the risk is smaller, but indeed it can easily be found in the code, so it's safer like this.
The patch is applied to the 6.x-1.x-dev branch.
Comment #2
dbr commentedThis is now fixed in 6.x-1.1
Comment #3
dbr commented