From 0befd82f1a876d5359d45dc857078c6b55ba4102 Mon Sep 17 00:00:00 2001
From: Seamus Lee <seamuslee001@gmail.com>
Date: Fri, 8 Feb 2019 14:46:36 +1100
Subject: [PATCH] prevent timing attacks on the contact checksum validation

---
 CRM/Contact/BAO/Contact/Utils.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/CRM/Contact/BAO/Contact/Utils.php b/CRM/Contact/BAO/Contact/Utils.php
index 7a81cb029e..db4114aa0d 100644
--- a/CRM/Contact/BAO/Contact/Utils.php
+++ b/CRM/Contact/BAO/Contact/Utils.php
@@ -229,7 +229,7 @@ WHERE  id IN ( $idString )
 
     $check = self::generateChecksum($contactID, $inputTS, $inputLF);
 
-    if ($check != $inputCheck) {
+    if (!hash_equals($check, $inputCheck)) {
       return FALSE;
     }
 
-- 
2.25.1