Use secure compare to validate master password

diff --git a/wcfsetup/install/files/lib/acp/form/MasterPasswordForm.class.php b/wcfsetup/install/files/lib/acp/form/MasterPasswordForm.class.php
index 23abbf51314dd6f1a136abe054233ece0ea6f821..a7c652e45095c45e215af326194511170e88b335 100755 (executable)
--- a/wcfsetup/install/files/lib/acp/form/MasterPasswordForm.class.php
+++ b/wcfsetup/install/files/lib/acp/form/MasterPasswordForm.class.php
@@ -62,7 +62,7 @@ class MasterPasswordForm extends AbstractForm {
                }
                
                // check password
-               if (PasswordUtil::getSaltedHash($this->masterPassword, MASTER_PASSWORD_SALT) != MASTER_PASSWORD) {
+               if (PasswordUtil::secureCompare(PasswordUtil::getSaltedHash($this->masterPassword, MASTER_PASSWORD_SALT), MASTER_PASSWORD)) {
                        throw new UserInputException('masterPassword', 'invalid');
                }
        }