From: Tim Otten <totten@civicrm.org>
Date: Thu, 25 Feb 2021 01:54:42 +0000 (-0800)
Subject: (security/core#104) CRM_Utils_System::authenticateKey - Use secure equality test
X-Git-Url: https://vcs.fsf.org/?a=commitdiff_plain;h=9cf67abf81be1a246563b0e9c6ddfb1cf4d95d21;p=civicrm-core.git

(security/core#104) CRM_Utils_System::authenticateKey - Use secure equality test
---

diff --git a/CRM/Utils/System.php b/CRM/Utils/System.php
index 5c27f998d4..4be0a95888 100644
--- a/CRM/Utils/System.php
+++ b/CRM/Utils/System.php
@@ -629,7 +629,7 @@ class CRM_Utils_System {
       );
     }
 
-    if ($key !== $siteKey) {
+    if (!hash_equals($siteKey, $key)) {
       return self::authenticateAbort(
         "ERROR: Invalid key value sent. " . $docAdd . "\n",
         $abort