Updated _password_verify_sha1_legacy() to use hash_equals instead of …

…a strict string comparison in order to mitigate timing attacks This resolves #1555
benedmunds · Mar 23, 2022 · f08cd91 · f08cd91
1 parent 72352df
commit f08cd91
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/models/Ion_auth_model.php b/models/Ion_auth_model.php
@@ -2776,7 +2776,7 @@ protected function _password_verify_sha1_legacy($identity, $password, $hashed_pa
 		}
 
 		// Now we can compare them
-		if($hashed_password === $hashed_password_db)
+		if(hash_equals($hashed_password, $hashed_password_db))
 		{
 			// Password is good, migrate it to latest
 			$result = $this->_set_password_db($identity, $password);