From: David Monllao <davidm@moodle.com>
Date: Thu, 27 Nov 2014 05:57:06 +0000 (+0800)
Subject: MDL-20365 auth_db: Warning users about case sensitive plain passwords
X-Git-Tag: v2.9.0-beta~912
X-Git-Url: http://git.moodle.org/gw?p=moodle.git;a=commitdiff_plain;h=c00cbdc784d0e5be4477ebbd41c8c9ff3e5a7d2f

MDL-20365 auth_db: Warning users about case sensitive plain passwords

Also, changing returned passwords to lower case when
maching against an md5() string or a sha1() string.
---

diff --git a/auth/db/auth.php b/auth/db/auth.php
index e77bc48b54f..3feed3edfb6 100644
--- a/auth/db/auth.php
+++ b/auth/db/auth.php
@@ -127,9 +127,9 @@ class auth_plugin_db extends auth_plugin_base {
             if ($this->config->passtype === 'plaintext') {
                 return ($fromdb == $extpassword);
             } else if ($this->config->passtype === 'md5') {
-                return ($fromdb == md5($extpassword));
+                return (strtolower($fromdb) == md5($extpassword));
             } else if ($this->config->passtype === 'sha1') {
-                return ($fromdb == sha1($extpassword));
+                return (strtolower($fromdb) == sha1($extpassword));
             } else if ($this->config->passtype === 'saltedcrypt') {
                 require_once($CFG->libdir.'/password_compat/lib/password.php');
                 return password_verify($extpassword, $fromdb);
diff --git a/auth/db/upgrade.txt b/auth/db/upgrade.txt
new file mode 100644
index 00000000000..b2a79c7a88d
--- /dev/null
+++ b/auth/db/upgrade.txt
@@ -0,0 +1,7 @@
+This files describes API changes in /auth/db/*,
+information provided here is intended especially for developers.
+
+=== 2.9 ===
+
+* Plain text password matching is now always case sensitive, it does not
+  depend on the database sensitiveness anymore.