From f5db0b307b45cbd236e4426440653e697ef4cf80 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Gerg=C5=91=20Tisza?= <tgr.huwiki@gmail.com>
Date: Sat, 21 Nov 2015 11:51:02 -0800
Subject: [PATCH] Use hash_equals in User::matchEditToken

There is no point in using hash_equals for the return value if we
do a normal comparison before.

Bug: T119309
Signed-off-by: Chad Horohoe <chadh@wikimedia.org>
Change-Id: Ia44ec5ed492105b27d0fddd845d58d27a29dc072
---
 includes/user/User.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/includes/user/User.php b/includes/user/User.php
index c6d215d9ad..2ac0f2c0f6 100644
--- a/includes/user/User.php
+++ b/includes/user/User.php
@@ -4228,7 +4228,7 @@ class User implements IDBAccessObject {
 			$salt, $request ?: $this->getRequest(), $timestamp
 		);
 
-		if ( $val != $sessionToken ) {
+		if ( !hash_equals( $sessionToken, $val ) ) {
 			wfDebug( "User::matchEditToken: broken session data\n" );
 		}
 
-- 
2.20.1