MDL-20365 auth_db: Warning users about case sensitive plain passwords
authorDavid Monllao <davidm@moodle.com>
Thu, 27 Nov 2014 05:57:06 +0000 (13:57 +0800)
committerDavid Monllao <davidm@moodle.com>
Thu, 27 Nov 2014 05:57:06 +0000 (13:57 +0800)
Also, changing returned passwords to lower case when
maching against an md5() string or a sha1() string.

auth/db/auth.php
auth/db/upgrade.txt [new file with mode: 0644]

index e77bc48..3feed3e 100644 (file)
@@ -127,9 +127,9 @@ class auth_plugin_db extends auth_plugin_base {
             if ($this->config->passtype === 'plaintext') {
                 return ($fromdb == $extpassword);
             } else if ($this->config->passtype === 'md5') {
-                return ($fromdb == md5($extpassword));
+                return (strtolower($fromdb) == md5($extpassword));
             } else if ($this->config->passtype === 'sha1') {
-                return ($fromdb == sha1($extpassword));
+                return (strtolower($fromdb) == sha1($extpassword));
             } else if ($this->config->passtype === 'saltedcrypt') {
                 require_once($CFG->libdir.'/password_compat/lib/password.php');
                 return password_verify($extpassword, $fromdb);
diff --git a/auth/db/upgrade.txt b/auth/db/upgrade.txt
new file mode 100644 (file)
index 0000000..b2a79c7
--- /dev/null
@@ -0,0 +1,7 @@
+This files describes API changes in /auth/db/*,
+information provided here is intended especially for developers.
+
+=== 2.9 ===
+
+* Plain text password matching is now always case sensitive, it does not
+  depend on the database sensitiveness anymore.