From 8d0509fc2193a1ab11ebbd7712ac4f245f43a430 Mon Sep 17 00:00:00 2001
From: Oliver Hader <oliver@typo3.org>
Date: Wed, 27 May 2020 17:29:00 +0200
Subject: [PATCH] [BUGFIX] Use hash_equals when comparing cryptographic hash
 values

Resolves: #91510
Releases: master, 10.4, 9.5
Change-Id: I5bfda8310342718dc696b182fd87b1954a6cdc39
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64590
Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Benni Mack <benni@typo3.org>
Tested-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Reviewed-by: Oliver Klee <typo3-coding@oliverklee.de>
Reviewed-by: Daniel Haupt <mail@danielhaupt.de>
Reviewed-by: Benni Mack <benni@typo3.org>
Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de>
---
 typo3/sysext/backend/Classes/Authentication/PasswordReset.php | 2 +-
 typo3/sysext/core/Classes/Resource/ResourceCompressor.php     | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/typo3/sysext/backend/Classes/Authentication/PasswordReset.php b/typo3/sysext/backend/Classes/Authentication/PasswordReset.php
index 788eb640a570..c6b455d81834 100644
--- a/typo3/sysext/backend/Classes/Authentication/PasswordReset.php
+++ b/typo3/sysext/backend/Classes/Authentication/PasswordReset.php
@@ -297,7 +297,7 @@ class PasswordReset implements LoggerAwareInterface
             // no native SHA1/ CONCAT functionality, has to be done in PHP
             $stmt = $queryBuilder->execute();
             while ($row = $stmt->fetch()) {
-                if (hash('sha1', $row['email'] . (string)$row['uid']) === $identity) {
+                if (hash_equals(hash('sha1', $row['email'] . (string)$row['uid']), $identity)) {
                     $user = $row;
                     break;
                 }
diff --git a/typo3/sysext/core/Classes/Resource/ResourceCompressor.php b/typo3/sysext/core/Classes/Resource/ResourceCompressor.php
index b45acdea1556..00df858d170e 100644
--- a/typo3/sysext/core/Classes/Resource/ResourceCompressor.php
+++ b/typo3/sysext/core/Classes/Resource/ResourceCompressor.php
@@ -642,7 +642,7 @@ class ResourceCompressor
         $filename = $this->targetDirectory . 'external-' . md5($url);
         // Write only if file does not exist OR md5 of the content is not the same as fetched one
         if (!file_exists(Environment::getPublicPath() . '/' . $filename)
-            || (md5($externalContent) !== md5(file_get_contents(Environment::getPublicPath() . '/' . $filename)))
+            || !hash_equals(md5(file_get_contents(Environment::getPublicPath() . '/' . $filename)), md5($externalContent))
         ) {
             GeneralUtility::writeFile(Environment::getPublicPath() . '/' . $filename, $externalContent);
         }
-- 
GitLab