From cc684596561ef1275519042fc33c368e56a1a082 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Gerg=C5=91=20Tisza?= <tgr.huwiki@gmail.com>
Date: Sat, 21 Nov 2015 11:51:02 -0800
Subject: [SECURITY] Use hash_equals in User::matchEditToken

There is no point in using hash_equals for the return value if we
do a normal comparison before.

Bug: T119309
Change-Id: Ia44ec5ed492105b27d0fddd845d58d27a29dc072
---
 includes/User.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/includes/User.php b/includes/User.php
index 3d1aa7e..c548f76 100644
--- a/includes/User.php
+++ b/includes/User.php
@@ -4228,7 +4228,7 @@ class User implements IDBAccessObject {
 			$salt, $request ?: $this->getRequest(), $timestamp
 		);
 
-		if ( $val != $sessionToken ) {
+		if ( !hash_equals( $sessionToken, $val ) ) {
 			wfDebug( "User::matchEditToken: broken session data\n" );
 		}
 
-- 
1.9.1