Description: use hash_equals() for widgets
 Fixes a potiential timing side-channel attack
 CVE-2015-5730
Author: ocean90@wordpress.org
Origin: upstream, https://core.trac.wordpress.org/changeset/33535
Applied-Upstream: changeset 33535
Reviewed-by: Craig Small <csmall@debian.org>
Last-Update: 2015-08-05
---
This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
--- a/wp-includes/class-wp-customize-widgets.php
+++ b/wp-includes/class-wp-customize-widgets.php
@@ -1199,7 +1199,7 @@
 			return null;
 		}
 
-		if ( $this->get_instance_hash_key( $decoded ) !== $value['instance_hash_key'] ) {
+		if ( ! hash_equals( $this->get_instance_hash_key( $decoded ), $value['instance_hash_key'] ) ) {
 			return null;
 		}
 
