1 files changed, 9 insertions, 7 deletions

diff --git a/inc/auth.php b/inc/auth.php
index 2bdc3eb00..e938830ef 100644
--- a/inc/auth.php
+++ b/inc/auth.php
@@ -95,9 +95,10 @@ function auth_setup() {
         $INPUT->set('http_credentials', true);
     }
 
-    // apply cleaning
+    // apply cleaning (auth specific user names, remove control chars)
     if (true === $auth->success) {
-        $INPUT->set('u', $auth->cleanUser($INPUT->str('u')));
+        $INPUT->set('u', $auth->cleanUser(stripctl($INPUT->str('u'))));
+        $INPUT->set('p', stripctl($INPUT->str('p')));
     }
 
     if($INPUT->str('authtok')) {
@@ -228,7 +229,7 @@ function auth_login($user, $pass, $sticky = false, $silent = false) {
 
     if(!empty($user)) {
         //usual login
-        if($auth->checkPass($user, $pass)) {
+        if(!empty($pass) && $auth->checkPass($user, $pass)) {
             // make logininfo globally available
             $INPUT->server->set('REMOTE_USER', $user);
             $secret                 = auth_cookiesalt(!$sticky, true); //bind non-sticky to session
@@ -638,6 +639,7 @@ function auth_isMember($memberlist, $user, array $groups) {
 
     // compare cleaned values
     foreach($members as $member) {
+        if($member == '@ALL' ) return true;
         if(!$auth->isCaseSensitive()) $member = utf8_strtolower($member);
         if($member[0] == '@') {
             $member = $auth->cleanGroup(substr($member, 1));
@@ -922,7 +924,7 @@ function auth_sendPassword($user, $password) {
     if(!$auth) return false;
 
     $user     = $auth->cleanUser($user);
-    $userinfo = $auth->getUserData($user);
+    $userinfo = $auth->getUserData($user, $requireGroups = false);
 
     if(!$userinfo['mail']) return false;
 
@@ -1080,7 +1082,7 @@ function updateprofile() {
         }
     }
 
-    if($result = $auth->triggerUserMod('modify', array($INPUT->server->str('REMOTE_USER'), $changes))) {
+    if($result = $auth->triggerUserMod('modify', array($INPUT->server->str('REMOTE_USER'), &$changes))) {
         // update cookie and session with the changed data
         if($changes['pass']) {
             list( /*user*/, $sticky, /*pass*/) = auth_getCookie();
@@ -1184,7 +1186,7 @@ function act_resendpwd() {
         }
 
         $user     = io_readfile($tfile);
-        $userinfo = $auth->getUserData($user);
+        $userinfo = $auth->getUserData($user, $requireGroups = false);
         if(!$userinfo['mail']) {
             msg($lang['resendpwdnouser'], -1);
             return false;
@@ -1236,7 +1238,7 @@ function act_resendpwd() {
             $user = trim($auth->cleanUser($INPUT->post->str('login')));
         }
 
-        $userinfo = $auth->getUserData($user);
+        $userinfo = $auth->getUserData($user, $requireGroups = false);
         if(!$userinfo['mail']) {
             msg($lang['resendpwdnouser'], -1);
             return false;