diff options
| author | Igor Wiedler <igor@wiedler.ch> | 2010-10-14 08:28:05 +0200 |
|---|---|---|
| committer | Igor Wiedler <igor@wiedler.ch> | 2010-10-14 08:28:05 +0200 |
| commit | 9c8b210ef0884af193c1fe89ac7c6f428b2c1aab (patch) | |
| tree | 8dc6d98e5053a5ec86cdb6020c1b43615cba32de /phpBB/includes/auth | |
| parent | 5de4924c4beabad4100f329ade0af8e7c03c5eff (diff) | |
| download | forums-9c8b210ef0884af193c1fe89ac7c6f428b2c1aab.tar forums-9c8b210ef0884af193c1fe89ac7c6f428b2c1aab.tar.gz forums-9c8b210ef0884af193c1fe89ac7c6f428b2c1aab.tar.bz2 forums-9c8b210ef0884af193c1fe89ac7c6f428b2c1aab.tar.xz forums-9c8b210ef0884af193c1fe89ac7c6f428b2c1aab.zip | |
[feature/request-class] Special case of direct access to _REQUEST
PHPBB3-9716
Diffstat (limited to 'phpBB/includes/auth')
| -rw-r--r-- | phpBB/includes/auth/auth_db.php | 16 |
1 files changed, 14 insertions, 2 deletions
diff --git a/phpBB/includes/auth/auth_db.php b/phpBB/includes/auth/auth_db.php index b672e212bf..cef58297d3 100644 --- a/phpBB/includes/auth/auth_db.php +++ b/phpBB/includes/auth/auth_db.php @@ -27,6 +27,7 @@ if (!defined('IN_PHPBB')) function login_db(&$username, &$password) { global $db, $config; + global $request; // do not allow empty password if (!$password) @@ -96,12 +97,23 @@ function login_db(&$username, &$password) // If the password convert flag is set we need to convert it if ($row['user_pass_convert']) { + // enable super globals to get literal value + // this is needed to prevent unicode normalization + $super_globals_disabled = $request->super_globals_disabled(); + if ($super_globals_disabled) + { + $request->enable_super_globals(); + } + // in phpBB2 passwords were used exactly as they were sent, with addslashes applied $password_old_format = isset($_REQUEST['password']) ? (string) $_REQUEST['password'] : ''; $password_old_format = (!STRIP) ? addslashes($password_old_format) : $password_old_format; - $password_new_format = ''; + $password_new_format = $request->variable('password', '', true); - set_var($password_new_format, stripslashes($password_old_format), 'string'); + if ($super_globals_disabled) + { + $request->disable_super_globals(); + } if ($password == $password_new_format) { |