From: Gergő Tisza <tgr.huwiki@gmail.com>
Date: Sat, 21 Nov 2015 19:51:02 +0000 (-0800)
Subject: Use hash_equals in User::matchEditToken
X-Git-Tag: 1.31.0-rc.0~8637
X-Git-Url: http://git.cyclocoop.org/%22%20%20.%20generer_url_ecrire%28%22mots_tous%22%29%20.%20%22?a=commitdiff_plain;h=f5db0b307b45cbd236e4426440653e697ef4cf80;p=lhc%2Fweb%2Fwiklou.git

Use hash_equals in User::matchEditToken

There is no point in using hash_equals for the return value if we
do a normal comparison before.

Bug: T119309
Signed-off-by: Chad Horohoe <chadh@wikimedia.org>
Change-Id: Ia44ec5ed492105b27d0fddd845d58d27a29dc072
---

diff --git a/includes/user/User.php b/includes/user/User.php
index c6d215d9ad..2ac0f2c0f6 100644
--- a/includes/user/User.php
+++ b/includes/user/User.php
@@ -4228,7 +4228,7 @@ class User implements IDBAccessObject {
 			$salt, $request ?: $this->getRequest(), $timestamp
 		);
 
-		if ( $val != $sessionToken ) {
+		if ( !hash_equals( $sessionToken, $val ) ) {
 			wfDebug( "User::matchEditToken: broken session data\n" );
 		}