There is no point in using hash_equals for the return value if we
do a normal comparison before.
Bug: T119309
Signed-off-by: Chad Horohoe <chadh@wikimedia.org>
Change-Id: Ia44ec5ed492105b27d0fddd845d58d27a29dc072
$salt, $request ?: $this->getRequest(), $timestamp
);
$salt, $request ?: $this->getRequest(), $timestamp
);
- if ( $val != $sessionToken ) {
+ if ( !hash_equals( $sessionToken, $val ) ) {
wfDebug( "User::matchEditToken: broken session data\n" );
}
wfDebug( "User::matchEditToken: broken session data\n" );
}