Use hash_equals() rather than direct string comparison (#13136)

pimcore · Sep 13, 2022 · d0bfcd4 · d0bfcd4
1 parent fda5202
commit d0bfcd4
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/models/DataObject/ClassDefinition/Data/Password.php b/models/DataObject/ClassDefinition/Data/Password.php
@@ -302,7 +302,7 @@ public function verifyPassword($password, DataObject\Concrete $object, $updateHa
             }
         } else {
             $hash = $this->calculateHash($password);
-            $result = $hash === $objectHash;
+            $result = hash_equals($objectHash, $hash);
         }
 
         return $result;