MDL-20365 auth_db: Warning users about case sensitive plain passwords

Also, changing returned passwords to lower case when maching against an md5() string or a sha1() string.
hello-josh · Nov 27, 2014 · c00cbdc · c00cbdc
1 parent bc92aac
commit c00cbdc
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 2 deletions.
diff --git a/auth/db/auth.php b/auth/db/auth.php
@@ -127,9 +127,9 @@ function user_login($username, $password) {
             if ($this->config->passtype === 'plaintext') {
                 return ($fromdb == $extpassword);
             } else if ($this->config->passtype === 'md5') {
-                return ($fromdb == md5($extpassword));
+                return (strtolower($fromdb) == md5($extpassword));
             } else if ($this->config->passtype === 'sha1') {
-                return ($fromdb == sha1($extpassword));
+                return (strtolower($fromdb) == sha1($extpassword));
             } else if ($this->config->passtype === 'saltedcrypt') {
                 require_once($CFG->libdir.'/password_compat/lib/password.php');
                 return password_verify($extpassword, $fromdb);

diff --git a/auth/db/upgrade.txt b/auth/db/upgrade.txt
@@ -0,0 +1,7 @@
+This files describes API changes in /auth/db/*,
+information provided here is intended especially for developers.
+
+=== 2.9 ===
+
+* Plain text password matching is now always case sensitive, it does not
+  depend on the database sensitiveness anymore.