1 files changed, 15 insertions, 5 deletions
diff --git a/phpBB/includes/auth/auth_db.php b/phpBB/includes/auth/auth_db.php
index 6ca69d9174..b4ae1911cf 100644
--- a/phpBB/includes/auth/auth_db.php
+++ b/phpBB/includes/auth/auth_db.php
@@ -40,6 +40,7 @@ if (!defined('IN_PHPBB'))
 function login_db($username, $password, $ip = '', $browser = '', $forwarded_for = '')
 {
 	global $db, $config;
+	global $request;
 
 	// do not allow empty password
 	if (!$password)
@@ -122,7 +123,7 @@ function login_db($username, $password, $ip = '', $browser = '', $forwarded_for
 	if ($show_captcha)
 	{
 		// Visual Confirmation handling
-		if (!class_exists('phpbb_captcha_factory'))
+		if (!class_exists('phpbb_captcha_factory', false))
 		{
 			global $phpbb_root_path, $phpEx;
 			include ($phpbb_root_path . 'includes/captcha/captcha_factory.' . $phpEx);
@@ -149,12 +150,23 @@ function login_db($username, $password, $ip = '', $browser = '', $forwarded_for
 	// If the password convert flag is set we need to convert it
 	if ($row['user_pass_convert'])
 	{
+		// enable super globals to get literal value
+		// this is needed to prevent unicode normalization
+		$super_globals_disabled = $request->super_globals_disabled();
+		if ($super_globals_disabled)
+		{
+			$request->enable_super_globals();
+		}
+
 		// in phpBB2 passwords were used exactly as they were sent, with addslashes applied
 		$password_old_format = isset($_REQUEST['password']) ? (string) $_REQUEST['password'] : '';
 		$password_old_format = (!STRIP) ? addslashes($password_old_format) : $password_old_format;
-		$password_new_format = '';
+		$password_new_format = $request->variable('password', '', true);
 
-		set_var($password_new_format, stripslashes($password_old_format), 'string');
+		if ($super_globals_disabled)
+		{
+			$request->disable_super_globals();
+		}
 
 		if ($password == $password_new_format)
 		{
@@ -263,5 +275,3 @@ function login_db($username, $password, $ip = '', $browser = '', $forwarded_for
 		'user_row'		=> $row,
 	);
 }
-
-?>
-\ No newline at end of file