From d4f5c98c089251ac9893ba75c38b87d3f4e74a09 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Tim=20D=C3=BCsterhus?= <duesterhus@woltlab.com>
Date: Thu, 30 May 2013 21:11:01 +0200
Subject: [PATCH] Use PasswordUtil::secureCompare() to validate SECURITY_TOKEN

---
 .../install/files/lib/system/session/SessionHandler.class.php  | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/wcfsetup/install/files/lib/system/session/SessionHandler.class.php b/wcfsetup/install/files/lib/system/session/SessionHandler.class.php
index dd63d07abe..643b7914a6 100644
--- a/wcfsetup/install/files/lib/system/session/SessionHandler.class.php
+++ b/wcfsetup/install/files/lib/system/session/SessionHandler.class.php
@@ -10,6 +10,7 @@ use wcf\system\user\authentication\UserAuthenticationFactory;
 use wcf\system\user\storage\UserStorageHandler;
 use wcf\system\SingletonFactory;
 use wcf\system\WCF;
+use wcf\util\PasswordUtil;
 use wcf\util\StringUtil;
 use wcf\util\UserUtil;
 
@@ -232,7 +233,7 @@ class SessionHandler extends SingletonFactory {
 	 * @return	boolean
 	 */
 	public function checkSecurityToken($token) {
-		return ($this->getSecurityToken() === $token);
+		return PasswordUtil::secureCompare($this->getSecurityToken(), $token);
 	}
 	
 	/**
-- 
2.20.1