(security/core#104) CRM_Utils_System::authenticateKey - Use secure equality test

author Tim Otten <totten@civicrm.org>

Thu, 25 Feb 2021 01:54:42 +0000 (17:54 -0800)

committer Seamus Lee <seamuslee001@gmail.com>

Wed, 17 Mar 2021 21:51:44 +0000 (08:51 +1100)
author Tim Otten <totten@civicrm.org>
Thu, 25 Feb 2021 01:54:42 +0000 (17:54 -0800)
committer Seamus Lee <seamuslee001@gmail.com>
Wed, 17 Mar 2021 21:51:44 +0000 (08:51 +1100)
diff --git a/CRM/Utils/System.php b/CRM/Utils/System.php

index 5c27f998d451fb88c75aaf7b1cb3e8b67a14932f..4be0a9588857a8696948b2b4a2d60432b4167959 100644 (file)
--- a/CRM/Utils/System.php
+++ b/CRM/Utils/System.php
@@ -629,7 +629,7 @@ class CRM_Utils_System {
        );
      }
  
-    if ($key !== $siteKey) {
+    if (!hash_equals($siteKey, $key)) {
        return self::authenticateAbort(
          "ERROR: Invalid key value sent. " . $docAdd . "\n",
          $abort
author	Tim Otten <totten@civicrm.org>
	Thu, 25 Feb 2021 01:54:42 +0000 (17:54 -0800)
committer	Seamus Lee <seamuslee001@gmail.com>
	Wed, 17 Mar 2021 21:51:44 +0000 (08:51 +1100)