Use `\hash_equals()` for token validation in TwitterAuthAction

diff --git a/wcfsetup/install/files/lib/action/TwitterAuthAction.class.php b/wcfsetup/install/files/lib/action/TwitterAuthAction.class.php
index 447450027ab28fdfa9c194bcfc98e907195fd761..c766e9d885aa6069a8853dddb0ce5e42c916223e 100644 (file)
--- a/wcfsetup/install/files/lib/action/TwitterAuthAction.class.php
+++ b/wcfsetup/install/files/lib/action/TwitterAuthAction.class.php
@@ -58,7 +58,7 @@ class TwitterAuthAction extends AbstractAction
             }
 
             // validate oauth_token
-            if ($_GET['oauth_token'] !== $initData['oauth_token']) {
+            if (!\hash_equals((string) $initData['oauth_token'], (string)$_GET['oauth_token'])) {
                 throw new IllegalLinkException();
             }