Use PasswordUtil::secureCompare() to validate SECURITY_TOKEN

diff --git a/wcfsetup/install/files/lib/system/session/SessionHandler.class.php b/wcfsetup/install/files/lib/system/session/SessionHandler.class.php
index dd63d07abeef83c917032aba8b93e0725b0263a9..643b7914a6a75317c363cffbd25f657d6c685303 100644 (file)
--- a/wcfsetup/install/files/lib/system/session/SessionHandler.class.php
+++ b/wcfsetup/install/files/lib/system/session/SessionHandler.class.php
@@ -10,6 +10,7 @@ use wcf\system\user\authentication\UserAuthenticationFactory;
 use wcf\system\user\storage\UserStorageHandler;
 use wcf\system\SingletonFactory;
 use wcf\system\WCF;
+use wcf\util\PasswordUtil;
 use wcf\util\StringUtil;
 use wcf\util\UserUtil;
 
@@ -232,7 +233,7 @@ class SessionHandler extends SingletonFactory {
         * @return      boolean
         */
        public function checkSecurityToken($token) {
-               return ($this->getSecurityToken() === $token);
+               return PasswordUtil::secureCompare($this->getSecurityToken(), $token);
        }
        
        /**