From fb437b037e8fda23e84f3cbf85d5700d3a3f4ab4 Mon Sep 17 00:00:00 2001
From: Armin Leuprecht <mir@mur.at>
Date: Sun, 30 Aug 2020 13:57:40 +0200
Subject: [PATCH] Decode plainpassword before check (#115)

When the user's password contains HTML special chars
the password check would always fail if the
the given plainpassword is not decoded first.
---
 lib/functions.php | 1 +
 1 file changed, 1 insertion(+)

diff --git a/lib/functions.php b/lib/functions.php
index a16648c..354fe57 100644
--- a/lib/functions.php
+++ b/lib/functions.php
@@ -2311,6 +2311,7 @@ function pla_password_hash($password_clear,$enc_type) {
  * @return Boolean True if the clear password matches the hash, and false otherwise.
  */
 function password_check($cryptedpassword,$plainpassword,$attribute='userpassword') {
+    $plainpassword = htmlspecialchars_decode($plainpassword);
 	if (DEBUG_ENABLED && (($fargs=func_get_args())||$fargs='NOARGS'))
 		debug_log('Entered (%%)',1,0,__FILE__,__LINE__,__METHOD__,$fargs);