Use hash_equals in User::matchEditToken

There is no point in using hash_equals for the return value if we
do a normal comparison before.

Bug: T119309
Signed-off-by: Chad Horohoe <chadh@wikimedia.org>
Change-Id: Ia44ec5ed492105b27d0fddd845d58d27a29dc072

diff --git a/includes/user/User.php b/includes/user/User.php
index c6d215d..2ac0f2c 100644 (file)
--- a/includes/user/User.php
+++ b/includes/user/User.php
@@ -4228,7 +4228,7 @@ class User implements IDBAccessObject {
                        $salt, $request ?: $this->getRequest(), $timestamp
                );
 
-               if ( $val != $sessionToken ) {
+               if ( !hash_equals( $sessionToken, $val ) ) {
                        wfDebug( "User::matchEditToken: broken session data\n" );
                }