Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.Originally filed by hefox in the security queue. Since the 7.x branch is not affected by this issue and the 6.x branch is not supported, this can now be public:
The login resource only calls user_authenticate to login in a given user, http://drupalcode.org/project/services.git/blob/refs/heads/6.x-3.x:/reso..., which both ignores the other validation handles core provides (e.g. http://api.drupal.org/api/drupal/modules!user!user.module/function/user_... ) and any that a contrib module may have added.
To reproduce (haven't directly tested, based on looking at code)
1) install and configure resources
2) Create a user then block their name
3) Try to login via that user using login block -- should fail
4) Try to login via services resource -- won't failThis, http://drupalcode.org/project/bakery.git/blob/refs/heads/6.x-2.x:/bakery..., is how bakery handles the situation.
Looking at 6.x, haven't checked if similar problems exist in 7.x
Comments
Comment #1
marcingy CreditAttribution: marcingy commentedAs services d6 is not supported dropping the priority level
Comment #2
marcingy CreditAttribution: marcingy commentedComment #3
gregglesI just meant "critical" in terms of something that has to be fixed before a release not in terms of the priority the maintainers should put on it.
How about this tag?
Comment #4
kylebrowning CreditAttribution: kylebrowning commentedI fixed this.
http://drupalcode.org/project/services.git/commit/2e3cc07
Comment #5
gregglesUnless services_error does its own filtering, a username should get an @user placeholder.
Comment #6
kylebrowning CreditAttribution: kylebrowning commentedWhoops. Fixed.
http://drupalcode.org/project/services.git/commit/06ed9a0