From: Tim Düsterhus <duesterhus@woltlab.com>
Date: Thu, 30 May 2013 19:11:01 +0000 (+0200)
Subject: Use PasswordUtil::secureCompare() to validate SECURITY_TOKEN
X-Git-Tag: 2.0.0_Beta_2~7^2
X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=d4f5c98c089251ac9893ba75c38b87d3f4e74a09;p=GitHub%2FWoltLab%2FWCF.git

Use PasswordUtil::secureCompare() to validate SECURITY_TOKEN
---

diff --git a/wcfsetup/install/files/lib/system/session/SessionHandler.class.php b/wcfsetup/install/files/lib/system/session/SessionHandler.class.php
index dd63d07abe..643b7914a6 100644
--- a/wcfsetup/install/files/lib/system/session/SessionHandler.class.php
+++ b/wcfsetup/install/files/lib/system/session/SessionHandler.class.php
@@ -10,6 +10,7 @@ use wcf\system\user\authentication\UserAuthenticationFactory;
 use wcf\system\user\storage\UserStorageHandler;
 use wcf\system\SingletonFactory;
 use wcf\system\WCF;
+use wcf\util\PasswordUtil;
 use wcf\util\StringUtil;
 use wcf\util\UserUtil;
 
@@ -232,7 +233,7 @@ class SessionHandler extends SingletonFactory {
 	 * @return	boolean
 	 */
 	public function checkSecurityToken($token) {
-		return ($this->getSecurityToken() === $token);
+		return PasswordUtil::secureCompare($this->getSecurityToken(), $token);
 	}
 	
 	/**