MDL-20365 auth_db: Warning users about case sensitive plain passwords

Also, changing returned passwords to lower case when
maching against an md5() string or a sha1() string.

diff --git a/auth/db/auth.php b/auth/db/auth.php
index e77bc48..3feed3e 100644 (file)
--- a/auth/db/auth.php
+++ b/auth/db/auth.php
@@ -127,9 +127,9 @@ class auth_plugin_db extends auth_plugin_base {
             if ($this->config->passtype === 'plaintext') {
                 return ($fromdb == $extpassword);
             } else if ($this->config->passtype === 'md5') {
-                return ($fromdb == md5($extpassword));
+                return (strtolower($fromdb) == md5($extpassword));
             } else if ($this->config->passtype === 'sha1') {
-                return ($fromdb == sha1($extpassword));
+                return (strtolower($fromdb) == sha1($extpassword));
             } else if ($this->config->passtype === 'saltedcrypt') {
                 require_once($CFG->libdir.'/password_compat/lib/password.php');
                 return password_verify($extpassword, $fromdb);

diff --git a/auth/db/upgrade.txt b/auth/db/upgrade.txt
new file mode 100644 (file)
index 0000000..b2a79c7
--- /dev/null
+++ b/auth/db/upgrade.txt
@@ -0,0 +1,7 @@
+This files describes API changes in /auth/db/*,
+information provided here is intended especially for developers.
+
+=== 2.9 ===
+
+* Plain text password matching is now always case sensitive, it does not
+  depend on the database sensitiveness anymore.