[phpBB 3] passwords with special characters not recognized

[burner1024]

Any user having an & (ampersand) in their password is not able to login after merge.

Apparently phpBB replaces it with & prior to hashing and storing in the database. So "test1&test1" password is in fact "test1&test1" as far as phpBB is concerned. But loginconvert.php uses pristine password for comparison, and the result is that the hashes never match. Same for other special characters.

This lets such users log in:

 function check_phpbb3($password, $user)
 {
        // The bcrypt hash is at least 60 chars and is used in phpBB 3.1
-       if (my_strlen($user['passwordconvert']) >= 60 && $user['passwordconvert'] == crypt($password, $user['passwordconvert']))
+       if (my_strlen($user['passwordconvert']) >= 60 && $user['passwordconvert'] == crypt(htmlspecialchars($password), $user['passwordconvert']))

This is true for phpBB 3.2.4, not sure about other releases. Also not sure whether it's a bug or a feature of phpBB, but I think Merge System should handle this either way, even it requires some ugly version detection.