From: Tim Düsterhus <duesterhus@woltlab.com>
Date: Thu, 7 Feb 2013 16:18:04 +0000 (+0100)
Subject: Use secure compare to validate master password
X-Git-Tag: 2.0.0_Beta_1~499^2~1^2
X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=ca904f1eded7b2ee7a3deaab44df29338f14cde2;p=GitHub%2FWoltLab%2FWCF.git

Use secure compare to validate master password
---

diff --git a/wcfsetup/install/files/lib/acp/form/MasterPasswordForm.class.php b/wcfsetup/install/files/lib/acp/form/MasterPasswordForm.class.php
index 23abbf5131..a7c652e450 100755
--- a/wcfsetup/install/files/lib/acp/form/MasterPasswordForm.class.php
+++ b/wcfsetup/install/files/lib/acp/form/MasterPasswordForm.class.php
@@ -62,7 +62,7 @@ class MasterPasswordForm extends AbstractForm {
 		}
 		
 		// check password
-		if (PasswordUtil::getSaltedHash($this->masterPassword, MASTER_PASSWORD_SALT) != MASTER_PASSWORD) {
+		if (PasswordUtil::secureCompare(PasswordUtil::getSaltedHash($this->masterPassword, MASTER_PASSWORD_SALT), MASTER_PASSWORD)) {
 			throw new UserInputException('masterPassword', 'invalid');
 		}
 	}