User able to login with cleartext password and no salt

Here is a patch that will fix issue 1.

I have not attempted to fix issue 2, due to the following code that is present within the validate_password function in auth/internal/lib.php:

if ($salt == null) {
            // This allows "plaintext" passwords, which are eaiser for an admin to
            // create by hacking in the database directly. The application does not
            // create passwords in this form.
            // We don't allow empty passwords here to prevent anyone logging in to
            // user accounts that were created by some other passwordless auth
            // method and subsequently changed to internal.
            return $wehave != '' && $theysent == $wehave;
        }

Hi Eugene,

Talked about this stuff with Francois on Friday & we agreed that it's not serious enough to have to keep it secret or fix on the stable branches. Users are not having their own passwords stored in plaintext, it can only happen for the admin-generated ones, so fixing this on master is fine.

For issue 1, that improved patch you showed me looked good, so you should push it to master if you're ready.

Francois convinced me we should fix issue 2 as well, especially to stop any more code/plugins from being tempted to set plaintext passwords in future. To do this we'd need an upgrade to go through the user table, set salt & hash the password on all records with a non-empty password and empty salt.

Issues 1a, 1b and 1c! We also need to fix up code that sets cleartext passwords in three other places in the admin section: /admin/users/add.php, /admin/users/bulkimport.php and /admin/users/uploadcsv.php (same fix as issue 1).

When that's done, the stuff in validate_password that allows users to log in with no salt can be removed.