Make sure to compare password with unsanitized password (matomo-org#1…

…4033)

plugins/Login/Controller.php

@@ -201,6 +201,9 @@ public function confirmPassword()
         if (!empty($_POST)) {
             $nonce = Common::getRequestVar('nonce', null, 'string', $_POST);
             $password = Common::getRequestVar('password', null, 'string', $_POST);
+            if ($password) {
+                $password = Common::unsanitizeInputValue($password);
+            }
             if (!Nonce::verifyNonce($nonceKey, $nonce)) {
                 $messageNoAccess = $this->getMessageExceptionNoAccess();
             } elseif ($this->passwordVerify->isPasswordCorrect(Piwik::getCurrentUserLogin(), $password)) {

plugins/UsersManager/API.php

@@ -901,6 +901,8 @@ public function updateUser($userLogin, $password = false, $email = false, $alias
                 throw new Exception(Piwik::translate('UsersManager_ConfirmWithPassword'));
             }
 
+            $passwordConfirmation = Common::unsanitizeInputValue($passwordConfirmation);
+
             $loginCurrentUser = Piwik::getCurrentUserLogin();
             if (!$this->passwordVerifier->isPasswordCorrect($loginCurrentUser, $passwordConfirmation)) {
                 throw new Exception(Piwik::translate('UsersManager_CurrentPasswordNotCorrect'));

plugins/UsersManager/Controller.php

@@ -435,7 +435,7 @@ private function processPasswordChange($userLogin)
         if ($newPassword !== false && !Url::isValidHost()) {
             throw new Exception("Cannot change password or email with untrusted hostname!");
         }
-
+        
         // UI disables password change on invalid host, but check here anyway
         Request::processRequest('UsersManager.updateUser', [
             'userLogin' => $userLogin,