From a535ce3f0922467cf61bbb5c1b5350ef06a89e61 Mon Sep 17 00:00:00 2001
From: Tim Otten <totten@civicrm.org>
Date: Wed, 24 Feb 2021 17:54:42 -0800
Subject: [PATCH] (security/core#104) CRM_Utils_System::authenticateKey - Use
 secure equality test

---
 CRM/Utils/System.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/CRM/Utils/System.php b/CRM/Utils/System.php
index 5c27f998d4..4be0a95888 100644
--- a/CRM/Utils/System.php
+++ b/CRM/Utils/System.php
@@ -629,7 +629,7 @@ class CRM_Utils_System {
       );
     }
 
-    if ($key !== $siteKey) {
+    if (!hash_equals($siteKey, $key)) {
       return self::authenticateAbort(
         "ERROR: Invalid key value sent. " . $docAdd . "\n",
         $abort
-- 
2.25.1