Fix missing negation for hash_equals() methods

See c914372abbe9f62b765f4b0e0b934f6d45150201
See #2873

diff --git a/wcfsetup/install/files/lib/action/NotificationDisableAction.class.php b/wcfsetup/install/files/lib/action/NotificationDisableAction.class.php
index 50c06cb6a835d4b993f239b2c0ecd76c106b6f39..c7adcdf48dad7fdb50e4bfda92c600469e5eaa71 100644 (file)
--- a/wcfsetup/install/files/lib/action/NotificationDisableAction.class.php
+++ b/wcfsetup/install/files/lib/action/NotificationDisableAction.class.php
@@ -69,7 +69,7 @@ class NotificationDisableAction extends AbstractAction {
                }
                
                if (isset($_REQUEST['token'])) $this->token = StringUtil::trim($_REQUEST['token']);
-               if (empty($this->token) || \hash_equals($this->user->notificationMailToken, $this->token)) {
+               if (empty($this->token) || !\hash_equals($this->user->notificationMailToken, $this->token)) {
                        throw new IllegalLinkException();
                }
        }

diff --git a/wcfsetup/install/files/lib/form/NewPasswordForm.class.php b/wcfsetup/install/files/lib/form/NewPasswordForm.class.php
index dfec55fe71e482aca4e99b292ecbe741793b2fc1..009093e4530d7332a693239412c399d6abf18288 100644 (file)
--- a/wcfsetup/install/files/lib/form/NewPasswordForm.class.php
+++ b/wcfsetup/install/files/lib/form/NewPasswordForm.class.php
@@ -68,7 +68,7 @@ class NewPasswordForm extends AbstractForm {
                        if (!$this->user->userID) throw new IllegalLinkException();
                        
                        if (!$this->user->lostPasswordKey) throw new IllegalLinkException();
-                       if (\hash_equals($this->user->lostPasswordKey, $this->lostPasswordKey)) {
+                       if (!\hash_equals($this->user->lostPasswordKey, $this->lostPasswordKey)) {
                                throw new IllegalLinkException();
                        }
                        // expire lost password requests after a day