`User::matchEditToken` ends with
```
if ( $val != $sessionToken ) {
wfDebug( "User::matchEditToken: broken session data\n" );
}
return hash_equals( $sessionToken, $val );
```
Any benefits from using constant time comparison are lost if there is a non-constant-time comparison in the same function.
Not sure if this is really a security issue (seems impossible to exploit since you cannot time CSRF requests) but erring on the side of safety.
---
**Patch:** {F2998570}
* 1.23 - included in {F3112777}
* 1.24 - included in {F3113508}
* 1.25 - included in {F3110764}
* 1.26 - included in {F3110761}
**type:** CWE-208
**CVE:**
* CVE-2015-8623 - Use hash_equals for result of User::matchEditToken (fixed in https://gerrit.wikimedia.org/r/#/c/156336, backported in security release)
* CVE-2015-8624 - Use hash_equals for determining if we debug message should be logged