Avoids a theoretical timing attack.
Bug: T94116
Change-Id: Ia4a2b13bd5d3cd256c6b2deada224148dc2888a6
$this->dieUsage( 'Specified user does not exist', 'bad_wlowner' );
}
$token = $user->getOption( 'watchlisttoken' );
- if ( $token == '' || $token != $params['token'] ) {
+ if ( $token == '' || !hash_equals( $token, $params['token'] ) ) {
$this->dieUsage(
'Incorrect watchlist token provided -- please set a correct token in Special:Preferences',
'bad_wltoken'