Fixes #1301. Not filtering passwords.

2 files changed, 14 insertions, 3 deletions

diff --git a/engine/lib/upgrades/2012041800-1.8.3-dont_filter_passwords-c0ca4a18b38ae2bc.php b/engine/lib/upgrades/2012041800-1.8.3-dont_filter_passwords-c0ca4a18b38ae2bc.php
new file mode 100644
index 000000000..b82ffbebf
--- /dev/null
+++ b/engine/lib/upgrades/2012041800-1.8.3-dont_filter_passwords-c0ca4a18b38ae2bc.php
@@ -0,0 +1,11 @@
+<?php
+/**
+ * Elgg 1.8.3 upgrade 2012041800
+ * dont_filter_passwords
+ *
+ * Add admin notice that password handling has changed and if 
+ * users can't login to have them reset their passwords.
+ */
+elgg_add_admin_notice('dont_filter_passwords', 'Password handling has been updated to be more secure and flexible. '
+	. 'This change may prevent a small number of users from logging in with their existing passwords. '
+	. 'If a user is unable to log in, please advise him or her to reset their password, or reset it as an admin user.');
diff --git a/engine/lib/user_settings.php b/engine/lib/user_settings.php
index af30d8f0d..e4069fb53 100644
--- a/engine/lib/user_settings.php
+++ b/engine/lib/user_settings.php
@@ -33,9 +33,9 @@ function users_settings_save() {
  * @access private
  */
 function elgg_set_user_password() {
-	$current_password = get_input('current_password');
-	$password = get_input('password');
-	$password2 = get_input('password2');
+	$current_password = get_input('current_password', null, false);
+	$password = get_input('password', null, false);
+	$password2 = get_input('password2', null, false);
 	$user_guid = get_input('guid');
 
 	if (!$user_guid) {