From d0bfcd484a6caf5389188461880aa4b18f7c166b Mon Sep 17 00:00:00 2001
From: Niklas <niklas.brunberg@cag.se>
Date: Tue, 13 Sep 2022 08:33:54 +0200
Subject: [PATCH] Use hash_equals() rather than direct string comparison
 (#13136)

---
 models/DataObject/ClassDefinition/Data/Password.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/models/DataObject/ClassDefinition/Data/Password.php b/models/DataObject/ClassDefinition/Data/Password.php
index 5b670fb0241..af4f011dfa5 100644
--- a/models/DataObject/ClassDefinition/Data/Password.php
+++ b/models/DataObject/ClassDefinition/Data/Password.php
@@ -302,7 +302,7 @@ public function verifyPassword($password, DataObject\Concrete $object, $updateHa
             }
         } else {
             $hash = $this->calculateHash($password);
-            $result = $hash === $objectHash;
+            $result = hash_equals($objectHash, $hash);
         }
 
         return $result;