Commit e758457a authored by Oliver Hader's avatar Oliver Hader Committed by Andreas Fernandez
Browse files

[BUGFIX] Use hash_equals when comparing cryptographic hash values

Resolves: #91510
Releases: master, 10.4, 9.5
Change-Id: I5bfda8310342718dc696b182fd87b1954a6cdc39
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64549


Tested-by: default avatarTYPO3com <noreply@typo3.com>
Tested-by: Andreas Fernandez's avatarAndreas Fernandez <a.fernandez@scripting-base.de>
Reviewed-by: Oliver Klee's avatarOliver Klee <typo3-coding@oliverklee.de>
Reviewed-by: Andreas Fernandez's avatarAndreas Fernandez <a.fernandez@scripting-base.de>
parent 81fb9230
......@@ -297,7 +297,7 @@ class PasswordReset implements LoggerAwareInterface
// no native SHA1/ CONCAT functionality, has to be done in PHP
$stmt = $queryBuilder->execute();
while ($row = $stmt->fetch()) {
if (hash('sha1', $row['email'] . (string)$row['uid']) === $identity) {
if (hash_equals(hash('sha1', $row['email'] . (string)$row['uid']), $identity)) {
$user = $row;
break;
}
......
......@@ -642,7 +642,7 @@ class ResourceCompressor
$filename = $this->targetDirectory . 'external-' . md5($url);
// Write only if file does not exist OR md5 of the content is not the same as fetched one
if (!file_exists(Environment::getPublicPath() . '/' . $filename)
|| (md5($externalContent) !== md5(file_get_contents(Environment::getPublicPath() . '/' . $filename)))
|| !hash_equals(md5(file_get_contents(Environment::getPublicPath() . '/' . $filename)), md5($externalContent))
) {
GeneralUtility::writeFile(Environment::getPublicPath() . '/' . $filename, $externalContent);
}
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment