From fb94bd11fbffb1342cb094e76899a01180d56917 Mon Sep 17 00:00:00 2001
From: Marc Alexander <admin@m-a-styles.de>
Date: Thu, 4 Jun 2015 17:16:22 +0200
Subject: [ticket/13917] Do not pass non-string variables to hash_equals()

PHPBB3-13917
---
 phpBB/phpbb/passwords/driver/helper.php | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

(limited to 'phpBB/phpbb/passwords')

diff --git a/phpBB/phpbb/passwords/driver/helper.php b/phpBB/phpbb/passwords/driver/helper.php
index a99541233f..f80c3e3df6 100644
--- a/phpBB/phpbb/passwords/driver/helper.php
+++ b/phpBB/phpbb/passwords/driver/helper.php
@@ -153,17 +153,23 @@ class helper
 	 */
 	public function string_compare($string_a, $string_b)
 	{
+		// Return if input variables are not strings or if length does not match
+		if (!is_string($string_a) || !is_string($string_b) || strlen($string_a) != strlen($string_b))
+		{
+			return false;
+		}
+
 		// Use hash_equals() if it's available
 		if (function_exists('hash_equals'))
 		{
 			return hash_equals($string_a, $string_b);
 		}
 
-		$difference = strlen($string_a) != strlen($string_b);
+		$difference = 0;
 
 		for ($i = 0; $i < strlen($string_a) && $i < strlen($string_b); $i++)
 		{
-			$difference |= $string_a[$i] != $string_b[$i];
+			$difference |= ord($string_a[$i]) ^ ord($string_b[$i]);
 		}
 
 		return $difference === 0;
-- 
cgit v1.2.3-65-gdbad