Issue #3277003 by mcdruid, catch, poker10, smustgrave, BramDriesen, guedressel, DamienMcKenna, xjm, Heine, greggles, fjgarlin, pwolanin, moshe weitzman: Harden user_pass_rehash() against attack

core/modules/user/tests/src/Kernel/UserPassRehashTest.php

@@ -0,0 +1,46 @@
+<?php
+
+namespace Drupal\Tests\user\Kernel;
+
+use Drupal\KernelTests\KernelTestBase;
+use Drupal\Tests\user\Traits\UserCreationTrait;
+
+/**
+ * Tests user_pass_rehash().
+ *
+ * @group user
+ */
+class UserPassRehashTest extends KernelTestBase {
+
+  use UserCreationTrait;
+
+  /**
+   * {@inheritdoc}
+   */
+  protected static $modules = [
+    'user',
+  ];
+
+  /**
+   * Tests uniqueness of hashes when no password is set.
+   */
+  public function testUniqueHashNoPasswordValue(): void {
+    $this->installEntitySchema('user');
+
+    $timestamp = \Drupal::time()->getRequestTime();
+
+    $user_a = $this->createUser([], NULL, FALSE, ['uid' => 12, 'mail' => '3user@example.com', 'login' => $timestamp - 1000]);
+    $user_b = $this->createUser([], NULL, FALSE, ['uid' => 123, 'mail' => 'user@example.com', 'login' => $timestamp - 1000]);
+
+    // Unset passwords after the users are created in order to avoid
+    // (different) password hashes being generated for the empty strings.
+    $user_a->setPassword('');
+    $user_b->setPassword('');
+
+    $hash_a = user_pass_rehash($user_a, $timestamp);
+    $hash_b = user_pass_rehash($user_b, $timestamp);
+
+    $this->assertNotEquals($hash_a, $hash_b);
+  }
+
+}

core/modules/user/user.module

@@ -580,9 +580,9 @@ function user_cancel_url(UserInterface $account, $options = []) {
  */
 function user_pass_rehash(UserInterface $account, $timestamp) {
   $data = $timestamp;
-  $data .= $account->getLastLoginTime();
-  $data .= $account->id();
-  $data .= $account->getEmail();
+  $data .= ':' . $account->getLastLoginTime();
+  $data .= ':' . $account->id();
+  $data .= ':' . $account->getEmail();
   return Crypt::hmacBase64($data, Settings::getHashSalt() . $account->getPassword());
 }