From 0bc04a4df098da1fd8fe6e272ebf877ae15b7032 Mon Sep 17 00:00:00 2001
From: Marc Alexander <admin@m-a-styles.de>
Date: Wed, 22 Oct 2014 14:54:55 -0500
Subject: [ticket/13203] Use string_compare method in passwords drivers

PHPBB3-13203
---
 phpBB/phpbb/passwords/driver/sha1_wcf1.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'phpBB/phpbb/passwords/driver/sha1_wcf1.php')

diff --git a/phpBB/phpbb/passwords/driver/sha1_wcf1.php b/phpBB/phpbb/passwords/driver/sha1_wcf1.php
index 919fa2bb71..68006486c4 100644
--- a/phpBB/phpbb/passwords/driver/sha1_wcf1.php
+++ b/phpBB/phpbb/passwords/driver/sha1_wcf1.php
@@ -54,7 +54,7 @@ class sha1_wcf1 extends base
 		else
 		{
 			// Works for standard WCF 1.x, i.e. WBB3 and similar
-			return $hash === sha1($user_row['user_passwd_salt'] . sha1($user_row['user_passwd_salt'] . sha1($password)));
+			return $this->helper->string_compare($hash, sha1($user_row['user_passwd_salt'] . sha1($user_row['user_passwd_salt'] . sha1($password))));
 		}
 	}
 }
-- 
cgit v1.2.1