Use PasswordUtil::secureCompare() in more places

diff --git a/wcfsetup/install/files/lib/action/NotificationDisableAction.class.php b/wcfsetup/install/files/lib/action/NotificationDisableAction.class.php
index 72e1227c634a35d51a702e8114297295cbea69c4..f7ed46508dfbe9da443f6e4318f40568aecd012d 100644 (file)
--- a/wcfsetup/install/files/lib/action/NotificationDisableAction.class.php
+++ b/wcfsetup/install/files/lib/action/NotificationDisableAction.class.php
@@ -6,6 +6,7 @@ use wcf\system\exception\IllegalLinkException;
 use wcf\system\request\LinkHandler;
 use wcf\system\WCF;
 use wcf\util\HeaderUtil;
+use wcf\util\PasswordUtil;
 use wcf\util\StringUtil;
 
 /**
@@ -71,7 +72,7 @@ class NotificationDisableAction extends AbstractAction {
                }
                
                if (isset($_REQUEST['token'])) $this->token = StringUtil::trim($_REQUEST['token']);
-               if (empty($this->token) || $this->token != $this->user->notificationMailToken) {
+               if (empty($this->token) || !PasswordUtil::secureCompare($this->user->notificationMailToken, $this->token)) {
                        throw new IllegalLinkException();
                }
        }

diff --git a/wcfsetup/install/files/lib/form/NewPasswordForm.class.php b/wcfsetup/install/files/lib/form/NewPasswordForm.class.php
index 73ba48bea4ae212d79eed3aaf0e14c8a0ab15e90..9df1e06ef9d15cf0bb621091ade5e78316284593 100644 (file)
--- a/wcfsetup/install/files/lib/form/NewPasswordForm.class.php
+++ b/wcfsetup/install/files/lib/form/NewPasswordForm.class.php
@@ -88,7 +88,7 @@ class NewPasswordForm extends AbstractForm {
                        throw new UserInputException('lostPasswordKey', 'notValid');
                }
                
-               if ($this->user->lostPasswordKey != $this->lostPasswordKey) {
+               if (!PasswordUtil::secureCompare($this->user->lostPasswordKey, $this->lostPasswordKey)) {
                        throw new UserInputException('lostPasswordKey', 'notValid');
                }
        }