From 0bc04a4df098da1fd8fe6e272ebf877ae15b7032 Mon Sep 17 00:00:00 2001
From: Marc Alexander <admin@m-a-styles.de>
Date: Wed, 22 Oct 2014 14:54:55 -0500
Subject: [ticket/13203] Use string_compare method in passwords drivers

PHPBB3-13203
---
 phpBB/phpbb/passwords/driver/sha_xf1.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'phpBB/phpbb/passwords/driver/sha_xf1.php')

diff --git a/phpBB/phpbb/passwords/driver/sha_xf1.php b/phpBB/phpbb/passwords/driver/sha_xf1.php
index 7a1ea1450a..9d8f01796e 100644
--- a/phpBB/phpbb/passwords/driver/sha_xf1.php
+++ b/phpBB/phpbb/passwords/driver/sha_xf1.php
@@ -54,8 +54,8 @@ class sha_xf1 extends base
 		else
 		{
 			// Works for xenforo 1.0, 1.1
-			if ($hash === sha1(sha1($password) . $user_row['user_passwd_salt'])
-				|| $hash === hash('sha256', hash('sha256', $password) . $user_row['user_passwd_salt']))
+			if ($this->helper->string_compare($hash, sha1(sha1($password) . $user_row['user_passwd_salt']))
+				|| $this->helper->string_compare($hash, hash('sha256', hash('sha256', $password) . $user_row['user_passwd_salt'])))
 			{
 				return true;
 			}
-- 
cgit v1.2.1