Originally filed by hefox in the security queue. Since the 7.x branch is not affected by this issue and the 6.x branch is not supported, this can now be public:
The login resource only calls user_authenticate to login in a given user, http://drupalcode.org/project/services.git/blob/refs/heads/6.x-3.x:/reso..., which both ignores the other validation handles core provides (e.g. http://api.drupal.org/api/drupal/modules!user!user.module/function/user_... ) and any that a contrib module may have added.
To reproduce (haven't directly tested, based on looking at code)
1) install and configure resources
2) Create a user then block their name
3) Try to login via that user using login block -- should fail
4) Try to login via services resource -- won't failThis, http://drupalcode.org/project/bakery.git/blob/refs/heads/6.x-2.x:/bakery..., is how bakery handles the situation.
Looking at 6.x, haven't checked if similar problems exist in 7.x
Comments
Comment #1
marcingy CreditAttribution: marcingy commentedAs services d6 is not supported dropping the priority level
Comment #2
marcingy CreditAttribution: marcingy commentedComment #3
gregglesI just meant "critical" in terms of something that has to be fixed before a release not in terms of the priority the maintainers should put on it.
How about this tag?
Comment #4
kylebrowning CreditAttribution: kylebrowning commentedI fixed this.
http://drupalcode.org/project/services.git/commit/2e3cc07
Comment #5
gregglesUnless services_error does its own filtering, a username should get an @user placeholder.
Comment #6
kylebrowning CreditAttribution: kylebrowning commentedWhoops. Fixed.
http://drupalcode.org/project/services.git/commit/06ed9a0