Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
If you navigate to a user's login history page at /user/%user/login_history, the report shows data from all users. It looks like login_history_menu() passes an argument to login_history_report_callback(), but that argument is not in the function signature, nor is it used to refine the query.
This may be a potential security issue if you allow users to "View own login history", since the user will then have access to potentially sensitive data from all users.
Comment | File | Size | Author |
---|---|---|---|
#6 | login_history-1691412-6.patch | 1.22 KB | star-szr |
#3 | login_history-1691412-3.patch | 846 bytes | star-szr |
#1 | login_history_report_bug-1691412.patch | 2.8 KB | a_thakur |
#1 | Screenshot from 2012-08-01 13:30:47.png | 96.47 KB | a_thakur |
#1 | Screenshot from 2012-08-01 13:30:59.png | 62.54 KB | a_thakur |
Comments
Comment #1
a_thakur CreditAttribution: a_thakur commentedThe attached patch resolves the issue. Please review and test it. The attached screen shots shows the results.
Comment #2
gregglesLooks good to me.
Comment #3
star-szrThanks for the patch @a_thakur. This patch fixes the user-specific reports, but unfortunately it also breaks the global login report.
Here's a new patch to fix this bug. This patch only adjusts the menu callback and leaves the menu path as is to be addressed in #1707200: Change user login history menu item to use a dash instead of an underscore. Feel free to open a new documentation issue for the @file docblocks, that way we can keep things a bit more separated and easier to review.
As with my other patches, #1691474: Convert files to unix line endings has been applied first.
Comment #4
a_thakur CreditAttribution: a_thakur commentedThanks for the revised patch Cottser, I had suspected that I had missed that particular setting which I believe had caused to error to appear when the login history report was viewed from "Report" menu item in the admin menu.
The patch works fine.
Comment #5
star-szrCommitted to 7.x-1.x in bdec4d4, moving to 6.x for backport.
Comment #6
star-szrHere's a patch for the D6 version. Not as clean unfortunately, no DBTNG :)
I tested the per-user reports at user/%uid/login_history and the overall report at admin/reports/login-history.
Comment #7
star-szrCommited to 6.x-1.x in 87cd227.
Comment #8
a_thakur CreditAttribution: a_thakur commentedThe bug still persists in 7.x-1.0-beta1 branch.
Comment #9
star-szr@a_thakur - I'll be tagging a new beta release in the near future. For now, please use the dev version.
Comment #10
star-szrActually, this should go back to 6.x…
Comment #11
star-szr@a_thakur - I just created the release for 7.x-1.0-beta2, should be available for download
within 24 hoursnow.