From 0cc681d32bf51c485d54e49f50dd1d0f74b35974 Mon Sep 17 00:00:00 2001
From: Mischa POSLAWSKY <perl@shiar.org>
Date: Tue, 28 Nov 2017 00:38:16 +0100
Subject: [PATCH] auth: support unhashed passwords

String comparison for anything not starting with dollar (which identifies
all modern crypts) to keep originals for later resend (deliberate user
friendliness over security).
---
 auth.inc.php | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/auth.inc.php b/auth.inc.php
index b8026f9..94f0dcc 100644
--- a/auth.inc.php
+++ b/auth.inc.php
@@ -16,7 +16,12 @@ function login($inuser, $inpass = NULL)
 	# verify password
 	$authhash = md5($usertest);
 	if (isset($inpass)) {
-		if (!password_verify($inpass, $usertest)) return;
+		if (substr($usertest, 0, 1) == '$') {
+			if (!password_verify($inpass, $usertest)) return;
+		}
+		else {
+			if ($inpass !== $usertest) return;
+		}
 	}
 	else {
 		if ($inauth !== $authhash) return;
-- 
2.30.0