From a31041ef7b0365c5eceae3cceb7bcd845896ecd1 Mon Sep 17 00:00:00 2001
From: Paul Holden <paulh@moodle.com>
Date: Wed, 3 Jul 2024 09:40:36 +0100
Subject: [PATCH] MDL-82365 mod_lesson: stricter equality checks of activity
 password.

---
 mod/lesson/locallib.php | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/mod/lesson/locallib.php b/mod/lesson/locallib.php
index 1d105014e6c..a84a68abe62 100644
--- a/mod/lesson/locallib.php
+++ b/mod/lesson/locallib.php
@@ -2864,15 +2864,17 @@ class lesson extends lesson_base {
 
         if ($this->properties->usepassword && empty($USER->lessonloggedin[$this->id])) {
             $correctpass = false;
-            if (!empty($userpassword) &&
-                    (($this->properties->password == md5(trim($userpassword))) || ($this->properties->password == trim($userpassword)))) {
+
+            $userpassword = trim((string) $userpassword);
+            if ($userpassword !== '' &&
+                    ($this->properties->password === md5($userpassword) || $this->properties->password === $userpassword)) {
                 // With or without md5 for backward compatibility (MDL-11090).
                 $correctpass = true;
                 $USER->lessonloggedin[$this->id] = true;
             } else if (isset($this->properties->extrapasswords)) {
                 // Group overrides may have additional passwords.
                 foreach ($this->properties->extrapasswords as $password) {
-                    if (strcmp($password, md5(trim($userpassword))) === 0 || strcmp($password, trim($userpassword)) === 0) {
+                    if ($password === md5($userpassword) || $password === $userpassword) {
                         $correctpass = true;
                         $USER->lessonloggedin[$this->id] = true;
                     }