From: Tim Düsterhus <duesterhus@woltlab.com>
Date: Sat, 9 Apr 2016 08:45:59 +0000 (+0200)
Subject: Use PasswordUtil::secureCompare() in more places
X-Git-Tag: 2.1.11~38
X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=a3e1bb464381505bb0d8aa0e0e883a866a4bf398;p=GitHub%2FWoltLab%2FWCF.git

Use PasswordUtil::secureCompare() in more places
---

diff --git a/wcfsetup/install/files/lib/action/NotificationDisableAction.class.php b/wcfsetup/install/files/lib/action/NotificationDisableAction.class.php
index 72e1227c63..f7ed46508d 100644
--- a/wcfsetup/install/files/lib/action/NotificationDisableAction.class.php
+++ b/wcfsetup/install/files/lib/action/NotificationDisableAction.class.php
@@ -6,6 +6,7 @@ use wcf\system\exception\IllegalLinkException;
 use wcf\system\request\LinkHandler;
 use wcf\system\WCF;
 use wcf\util\HeaderUtil;
+use wcf\util\PasswordUtil;
 use wcf\util\StringUtil;
 
 /**
@@ -71,7 +72,7 @@ class NotificationDisableAction extends AbstractAction {
 		}
 		
 		if (isset($_REQUEST['token'])) $this->token = StringUtil::trim($_REQUEST['token']);
-		if (empty($this->token) || $this->token != $this->user->notificationMailToken) {
+		if (empty($this->token) || !PasswordUtil::secureCompare($this->user->notificationMailToken, $this->token)) {
 			throw new IllegalLinkException();
 		}
 	}
diff --git a/wcfsetup/install/files/lib/form/NewPasswordForm.class.php b/wcfsetup/install/files/lib/form/NewPasswordForm.class.php
index 73ba48bea4..9df1e06ef9 100644
--- a/wcfsetup/install/files/lib/form/NewPasswordForm.class.php
+++ b/wcfsetup/install/files/lib/form/NewPasswordForm.class.php
@@ -88,7 +88,7 @@ class NewPasswordForm extends AbstractForm {
 			throw new UserInputException('lostPasswordKey', 'notValid');
 		}
 		
-		if ($this->user->lostPasswordKey != $this->lostPasswordKey) {
+		if (!PasswordUtil::secureCompare($this->user->lostPasswordKey, $this->lostPasswordKey)) {
 			throw new UserInputException('lostPasswordKey', 'notValid');
 		}
 	}