From 2971ea9d10bf0288e5b94e62296efb8913a79b11 Mon Sep 17 00:00:00 2001
From: Lee Rowlands <lee.rowlands@previousnext.com.au>
Date: Fri, 5 Jan 2018 17:11:04 +1000
Subject: [PATCH] Issue #2934520 by tstoeckler: Avoid information disclosure by
 timing attack in EntityResource::patch()

---
 core/modules/rest/src/Plugin/rest/resource/EntityResource.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/core/modules/rest/src/Plugin/rest/resource/EntityResource.php b/core/modules/rest/src/Plugin/rest/resource/EntityResource.php
index 4b6febcbe84..8b1c2fa979f 100644
--- a/core/modules/rest/src/Plugin/rest/resource/EntityResource.php
+++ b/core/modules/rest/src/Plugin/rest/resource/EntityResource.php
@@ -288,7 +288,7 @@ class EntityResource extends ResourceBase implements DependentPluginInterface {
     // the user has no legitimate way of knowing the current value of fields
     // that they are not allowed to view, and we must not make the presence or
     // absence of a 403 response a way to find that out.
-    if ($original_field->equals($received_field) && $original_field->access('view')) {
+    if ($original_field->access('view') && $original_field->equals($received_field)) {
       return FALSE;
     }