--- a/modules/user/user.module	Tue Dec 23 14:32:08 2008 +0100
+++ b/modules/user/user.module	Tue Dec 23 14:32:19 2008 +0100
@@ -1,5 +1,5 @@
 <?php
-// $Id: user.module,v 1.892.2.6 2008/08/12 05:11:22 dries Exp $
+// $Id: user.module,v 1.892.2.8 2008/10/08 20:12:18 goba Exp $
 
 /**
  * @file
@@ -1334,9 +1334,18 @@
 function user_authenticate($form_values = array()) {
   global $user;
 
+  // Load the account to check if the e-mail is denied by an access rule.
+  // Doing this check here saves us a user_load() in user_login_name_validate()
+  // and introduces less code change for a security fix.
+  $account = user_load(array('name' => $form_values['name'], 'pass' => trim($form_values['pass']), 'status' => 1));
+  if ($account && drupal_is_denied('mail', $account->mail)) {
+    form_set_error('name', t('The name %name is registered using a reserved e-mail address and therefore could not be logged in.', array('%name' => $account->name)));
+  }
+
   // Name and pass keys are required.
-  if (!empty($form_values['name']) && !empty($form_values['pass']) &&
-      $account = user_load(array('name' => $form_values['name'], 'pass' => trim($form_values['pass']), 'status' => 1))) {
+  // The user is about to be logged in, so make sure no error was previously
+  // encountered in the validation process.
+  if (!form_get_errors() && !empty($form_values['name']) && !empty($form_values['pass']) && $account) {
     $user = $account;
     user_authenticate_finalize($form_values);
     return $user;
@@ -2064,7 +2073,7 @@
     '!site' => variable_get('site_name', 'Drupal'),
     '!login_url' => user_pass_reset_url($account),
     '!uri' => $base_url,
-    '!uri_brief' => substr($base_url, strlen('http://')),
+    '!uri_brief' => preg_replace('!^https?://!', '', $base_url),
     '!mailto' => $account->mail,
     '!date' => format_date(time(), 'medium', '', NULL, $language->language),
     '!login_uri' => url('user', array('absolute' => TRUE, 'language' => $language)),