From 52d72b8010c9cecb5b8e3d98ec5edc1ddcc65fb4 Mon Sep 17 00:00:00 2001
From: Stas Kozar <stas.kozar@transoftgroup.com>
Date: Tue, 10 Mar 2020 12:26:51 +0200
Subject: [PATCH] MC-32188: Improve validation of secret keys

---
 app/code/Magento/Backend/App/AbstractAction.php | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/app/code/Magento/Backend/App/AbstractAction.php b/app/code/Magento/Backend/App/AbstractAction.php
index 2f01700bdf51c..c6d6c9fc5f8a8 100644
--- a/app/code/Magento/Backend/App/AbstractAction.php
+++ b/app/code/Magento/Backend/App/AbstractAction.php
@@ -16,6 +16,7 @@
 use Magento\Framework\Data\Form\FormKey\Validator as FormKeyValidator;
 use Magento\Framework\Locale\ResolverInterface;
 use Magento\Framework\View\Element\AbstractBlock;
+use Magento\Framework\Encryption\Helper\Security;
 
 /**
  * Generic backend controller
@@ -386,7 +387,7 @@ protected function _validateSecretKey()
         }
 
         $secretKey = $this->getRequest()->getParam(UrlInterface::SECRET_KEY_PARAM_NAME, null);
-        if (!$secretKey || $secretKey != $this->_backendUrl->getSecretKey()) {
+        if (!$secretKey || !Security::compareStrings($secretKey, $this->_backendUrl->getSecretKey())) {
             return false;
         }
         return true;