Merge "(bug 35961) Hash comparison should always be strict."

author Aaron Schulz <aschulz@wikimedia.org>

Fri, 20 Apr 2012 08:03:42 +0000 (08:03 +0000)

committer Gerrit Code Review <gerrit@wikimedia.org>

Fri, 20 Apr 2012 08:03:42 +0000 (08:03 +0000)
author Aaron Schulz <aschulz@wikimedia.org>
Fri, 20 Apr 2012 08:03:42 +0000 (08:03 +0000)
committer Gerrit Code Review <gerrit@wikimedia.org>
Fri, 20 Apr 2012 08:03:42 +0000 (08:03 +0000)
diff --git a/includes/User.php b/includes/User.php

index af923ff..d3332fd 100644 (file)
--- a/includes/User.php
+++ b/includes/User.php
@@ -3924,7 +3924,7 @@ class User {
                 } elseif ( $type == ':B:' ) {
                         # Salted
                         list( $salt, $realHash ) = explode( ':', substr( $hash, 3 ), 2 );
-                       return md5( $salt.'-'.md5( $password ) ) == $realHash;
+                       return md5( $salt.'-'.md5( $password ) ) === $realHash;
                 } else {
                         # Old-style
                         return self::oldCrypt( $password, $userId ) === $hash;
author	Aaron Schulz <aschulz@wikimedia.org>
	Fri, 20 Apr 2012 08:03:42 +0000 (08:03 +0000)
committer	Gerrit Code Review <gerrit@wikimedia.org>
	Fri, 20 Apr 2012 08:03:42 +0000 (08:03 +0000)