From 5d0cacf825af83aba0e00ed8ff9421b4e5714f0c Mon Sep 17 00:00:00 2001
From: Angie Byron <webchick@24967.no-reply.drupal.org>
Date: Fri, 12 Mar 2010 05:20:29 +0000
Subject: [PATCH] #86299 follow-up by coltrane and clojel: Stop users'
 passwords from being stored in users.data in plain-text. Ouch.

---
 modules/user/user.module | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/user/user.module b/modules/user/user.module
index aaa9fd3b65e..0c17eaa45a9 100644
--- a/modules/user/user.module
+++ b/modules/user/user.module
@@ -391,7 +391,7 @@ function user_save($account, $edit = array(), $category = 'account') {
         // Form fields that don't pertain to the users, user_roles, or
         // Field API are automatically serialized into the users.data
         // column.
-        if (!in_array($key, array('roles', 'is_new')) && empty($user_fields[$key]) && empty($field_names[$key])) {
+        if (!in_array($key, array('roles', 'is_new', 'current_pass_required_values', 'current_pass')) && empty($user_fields[$key]) && empty($field_names[$key])) {
           if ($value === NULL) {
             unset($data[$key]);
           }