auth: support unhashed passwords

String comparison for anything not starting with dollar (which identifies
all modern crypts) to keep originals for later resend (deliberate user
friendliness over security).

diff --git a/auth.inc.php b/auth.inc.php
index b8026f9712a2bc757a7628bac4d02afb390ddede..94f0dcc8547f190d5758e7fdad1881a56ce72717 100644 (file)
--- a/auth.inc.php
+++ b/auth.inc.php
@@ -16,7 +16,12 @@ function login($inuser, $inpass = NULL)
        # verify password
        $authhash = md5($usertest);
        if (isset($inpass)) {
-               if (!password_verify($inpass, $usertest)) return;
+               if (substr($usertest, 0, 1) == '$') {
+                       if (!password_verify($inpass, $usertest)) return;
+               }
+               else {
+                       if ($inpass !== $usertest) return;
+               }
        }
        else {
                if ($inauth !== $authhash) return;