diff options
| author | Andreas Fischer <bantu@phpbb.com> | 2010-12-16 02:22:17 +0100 |
|---|---|---|
| committer | Andreas Fischer <bantu@phpbb.com> | 2010-12-16 02:22:17 +0100 |
| commit | 442fc61be77787c211650f21b2fb485f5e6ffcf0 (patch) | |
| tree | 804ce33f487ab3f9d1ed19db203a91522d4dd184 /phpBB/includes/auth/auth_db.php | |
| parent | 8b9b1f118726e9fb088737129a02e9959ac1adc4 (diff) | |
| parent | b08e0d17728f8733a403834a8ffa85b01c16d805 (diff) | |
| download | forums-442fc61be77787c211650f21b2fb485f5e6ffcf0.tar forums-442fc61be77787c211650f21b2fb485f5e6ffcf0.tar.gz forums-442fc61be77787c211650f21b2fb485f5e6ffcf0.tar.bz2 forums-442fc61be77787c211650f21b2fb485f5e6ffcf0.tar.xz forums-442fc61be77787c211650f21b2fb485f5e6ffcf0.zip | |
Merge branch 'feature/igorw/request-class' into develop
* feature/igorw/request-class:
[feature/request-class] Convert some remaining cookies
[feature/request-class] Adjust misleading comment
[feature/request-class] Remove direct access to _REQUEST in acp_search
[feature/request-class] Special case of direct access to _REQUEST
Diffstat (limited to 'phpBB/includes/auth/auth_db.php')
| -rw-r--r-- | phpBB/includes/auth/auth_db.php | 16 |
1 files changed, 14 insertions, 2 deletions
diff --git a/phpBB/includes/auth/auth_db.php b/phpBB/includes/auth/auth_db.php index 910eb10bdb..6304d6e49a 100644 --- a/phpBB/includes/auth/auth_db.php +++ b/phpBB/includes/auth/auth_db.php @@ -27,6 +27,7 @@ if (!defined('IN_PHPBB')) function login_db(&$username, &$password) { global $db, $config; + global $request; // do not allow empty password if (!$password) @@ -96,12 +97,23 @@ function login_db(&$username, &$password) // If the password convert flag is set we need to convert it if ($row['user_pass_convert']) { + // enable super globals to get literal value + // this is needed to prevent unicode normalization + $super_globals_disabled = $request->super_globals_disabled(); + if ($super_globals_disabled) + { + $request->enable_super_globals(); + } + // in phpBB2 passwords were used exactly as they were sent, with addslashes applied $password_old_format = isset($_REQUEST['password']) ? (string) $_REQUEST['password'] : ''; $password_old_format = (!STRIP) ? addslashes($password_old_format) : $password_old_format; - $password_new_format = ''; + $password_new_format = $request->variable('password', '', true); - set_var($password_new_format, stripslashes($password_old_format), 'string'); + if ($super_globals_disabled) + { + $request->disable_super_globals(); + } if ($password == $password_new_format) { |