From 8bcfa57342ecd716273e55de75b50e0ad656196e Mon Sep 17 00:00:00 2001
From: Maxime Rainville <maxime@silverstripe.com>
Date: Thu, 10 Sep 2020 22:17:50 +1200
Subject: [PATCH] BUG Make PasswordEncryptor::check more resistent to timing
 attacks

---
 src/Security/PasswordEncryptor.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/Security/PasswordEncryptor.php b/src/Security/PasswordEncryptor.php
index 6b2b0e695..6540a7e21 100644
--- a/src/Security/PasswordEncryptor.php
+++ b/src/Security/PasswordEncryptor.php
@@ -100,6 +100,6 @@ abstract class PasswordEncryptor
      */
     public function check($hash, $password, $salt = null, $member = null)
     {
-        return $hash === $this->encrypt($password, $salt, $member);
+        return hash_equals($hash, $this->encrypt($password, $salt, $member));
     }
 }