mirror/php-phpbb
1
0
Fork 0
mirror of https://github.com/phpbb/phpbb.git synced 2025-05-20 14:29:48 +02:00
Code Issues Releases Wiki Activity

[feature/request-class] Special case of direct access to _REQUEST

Browse Source 
PHPBB3-9716
This commit is contained in:
Igor Wiedler 2010-10-14 08:28:05 +02:00
parent 5de4924c4b
commit 9c8b210ef0
1 changed files with 14 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
phpBB/includes/auth/auth_db.php
View File

@ -27,6 +27,7 @@ if (!defined('IN_PHPBB'))
function login_db(&$username, &$password)
{
global $db, $config;
global $request;
// do not allow empty password
if (!$password)
@ -96,12 +97,23 @@ function login_db(&$username, &$password)
// If the password convert flag is set we need to convert it
if ($row['user_pass_convert'])
{
// enable super globals to get literal value
// this is needed to prevent unicode normalization
$super_globals_disabled = $request->super_globals_disabled();
if ($super_globals_disabled)
{
$request->enable_super_globals();
}
// in phpBB2 passwords were used exactly as they were sent, with addslashes applied
$password_old_format = isset($_REQUEST['password']) ? (string) $_REQUEST['password'] : '';
$password_old_format = (!STRIP) ? addslashes($password_old_format) : $password_old_format;
$password_new_format = '';
$password_new_format = $request->variable('password', '', true);
set_var($password_new_format, stripslashes($password_old_format), 'string');
if ($super_globals_disabled)
{
$request->disable_super_globals();
}
if ($password == $password_new_format)
{