Decode plainpassword before check (#115)

When the user's password contains HTML special chars
the password check would always fail if the
the given plainpassword is not decoded first.
This commit is contained in:
Armin Leuprecht 2020-08-30 13:57:40 +02:00 committed by GitHub
parent 34d4f20222
commit fb437b037e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -2311,6 +2311,7 @@ function pla_password_hash($password_clear,$enc_type) {
* @return Boolean True if the clear password matches the hash, and false otherwise.
*/
function password_check($cryptedpassword,$plainpassword,$attribute='userpassword') {
$plainpassword = htmlspecialchars_decode($plainpassword);
if (DEBUG_ENABLED && (($fargs=func_get_args())||$fargs='NOARGS'))
debug_log('Entered (%%)',1,0,__FILE__,__LINE__,__METHOD__,$fargs);