3 files changed, 56 insertions, 10 deletions
diff --git a/phpBB/phpbb/passwords/driver/helper.php b/phpBB/phpbb/passwords/driver/helper.php
index caa65080ac..f80c3e3df6 100644
--- a/phpBB/phpbb/passwords/driver/helper.php
+++ b/phpBB/phpbb/passwords/driver/helper.php
@@ -153,11 +153,23 @@ class helper
 	 */
 	public function string_compare($string_a, $string_b)
 	{
-		$difference = strlen($string_a) != strlen($string_b);
+		// Return if input variables are not strings or if length does not match
+		if (!is_string($string_a) || !is_string($string_b) || strlen($string_a) != strlen($string_b))
+		{
+			return false;
+		}
+
+		// Use hash_equals() if it's available
+		if (function_exists('hash_equals'))
+		{
+			return hash_equals($string_a, $string_b);
+		}
+
+		$difference = 0;
 
 		for ($i = 0; $i < strlen($string_a) && $i < strlen($string_b); $i++)
 		{
-			$difference |= $string_a[$i] != $string_b[$i];
+			$difference |= ord($string_a[$i]) ^ ord($string_b[$i]);
 		}
 
 		return $difference === 0;
diff --git a/phpBB/phpbb/passwords/driver/salted_md5.php b/phpBB/phpbb/passwords/driver/salted_md5.php
index 81ac010785..38d6d9cd2c 100644
--- a/phpBB/phpbb/passwords/driver/salted_md5.php
+++ b/phpBB/phpbb/passwords/driver/salted_md5.php
@@ -75,7 +75,7 @@ class salted_md5 extends base
 				// happen if pre-determined settings are
 				// directly passed to the driver. The manager
 				// will not do this. Same as the old hashing
-				// implementatio in phpBB 3.0
+				// implementation in phpBB 3.0
 				return md5($password);
 			}
 		}
diff --git a/phpBB/phpbb/passwords/manager.php b/phpBB/phpbb/passwords/manager.php
index aa9147ecf4..b2caba81f2 100644
--- a/phpBB/phpbb/passwords/manager.php
+++ b/phpBB/phpbb/passwords/manager.php
@@ -50,21 +50,47 @@ class manager
 	protected $config;
 
 	/**
+	 * @var bool Whether or not initialized() has been called
+	 */
+	private $initialized = false;
+
+	/**
+	 * @var array Hashing driver service collection
+	 */
+	private $hashing_algorithms;
+
+	/**
+	 * @var array List of default driver types
+	 */
+	private $defaults;
+
+	/**
 	* Construct a passwords object
 	*
-	* @param \phpbb\config\config $config phpBB configuration
-	* @param array $hashing_algorithms Hashing driver
-	*			service collection
-	* @param \phpbb\passwords\helper $helper Passwords helper object
-	* @param array $defaults List of default driver types
+	* @param \phpbb\config\config		$config				phpBB configuration
+	* @param array						$hashing_algorithms	Hashing driver service collection
+	* @param \phpbb\passwords\helper	$helper				Passwords helper object
+	* @param array						$defaults			List of default driver types
 	*/
 	public function __construct(\phpbb\config\config $config, $hashing_algorithms, helper $helper, $defaults)
 	{
 		$this->config = $config;
 		$this->helper = $helper;
+		$this->hashing_algorithms = $hashing_algorithms;
+		$this->defaults = $defaults;
+	}
 
-		$this->fill_type_map($hashing_algorithms);
-		$this->register_default_type($defaults);
+	/**
+	 * Initialize the internal state
+	 */
+	protected function initialize()
+	{
+		if (!$this->initialized)
+		{
+			$this->initialized = true;
+			$this->fill_type_map($this->hashing_algorithms);
+			$this->register_default_type($this->defaults);
+		}
 	}
 
 	/**
@@ -144,6 +170,8 @@ class manager
 			return false;
 		}
 
+		$this->initialize();
+
 		// Be on the lookout for multiple hashing algorithms
 		// 2 is correct: H\2a > 2, H\P > 2
 		if (strlen($match[1]) > 2)
@@ -192,6 +220,8 @@ class manager
 			return false;
 		}
 
+		$this->initialize();
+
 		// Try to retrieve algorithm by service name if type doesn't
 		// start with dollar sign
 		if (!is_array($type) && strpos($type, '$') !== 0 && isset($this->algorithms[$type]))
@@ -242,6 +272,8 @@ class manager
 			return false;
 		}
 
+		$this->initialize();
+
 		// First find out what kind of hash we're dealing with
 		$stored_hash_type = $this->detect_algorithm($hash);
 		if ($stored_hash_type == false)
@@ -297,6 +329,8 @@ class manager
 	*/
 	public function combined_hash_password($password_hash, $type)
 	{
+		$this->initialize();
+
 		$data = array(
 			'prefix' => '$',
 			'settings' => '$',