(bug 35961) Hash comparison should always be strict.

[lhc/web/wiklou.git] / includes / User.php

diff --git a/includes/User.php b/includes/User.php
index af923ff..d3332fd 100644 (file)
--- a/includes/User.php
+++ b/includes/User.php
@@ -3924,7 +3924,7 @@ class User {
                } elseif ( $type == ':B:' ) {
                        # Salted
                        list( $salt, $realHash ) = explode( ':', substr( $hash, 3 ), 2 );
-                       return md5( $salt.'-'.md5( $password ) ) == $realHash;
+                       return md5( $salt.'-'.md5( $password ) ) === $realHash;
                } else {
                        # Old-style
                        return self::oldCrypt( $password, $userId ) === $hash;