[1.3.0] Fix #1912

CHANGELOG

@@ -253,6 +253,7 @@
    - Added Phalcon\Security::computeHmac() (#1347)
    - Bug fixes (#1347)
    - Constant-time string comparison in Phalcon\Security::checkHash() to prevent timing attacks (#1755)
+   - Phalcon\Security::checkHash() now correctly handles non-bcrypt hashes (#1912)
  - Phalcon\Session:
    - Fix Phalcon\Session\Bag::remove() (#1637)
    - Phalcon\Session\Adapter::get() may optionally remove the data from session (#1358)

ext/dispatcher.c

@@ -536,10 +536,10 @@ static int phalcon_dispatcher_fire_event(zval *return_value, zval *mgr, const ch
 			else {
 				status2 = phalcon_call_method_params(NULL, NULL, source, SL("_handleexception"), zend_inline_hash_func(SS("_handleexception")) TSRMLS_CC, 1, exception);
 			}
-		}
 
-		if (FAILURE == status2) {
-			status = FAILURE;
+			if (FAILURE == status2) {
+				status = FAILURE;
+			}
 		}
 
 		ZVAL_NULL(event_name);

ext/security.c

@@ -384,9 +384,11 @@ PHP_METHOD(Phalcon_Security, checkHash){
 		}
 
 		zval_ptr_dtor(&hash);
+		RETURN_BOOL(check == 0);
 	}
 
-	RETURN_BOOL(check == 0);
+	zval_ptr_dtor(&hash);
+	RETURN_FALSE;
 }
 
 /**

ext/tests/issue-1912.phpt

@@ -0,0 +1,17 @@
+--TEST--
+Security::checkHash returns true when using with a non-bcrypt hash
+--SKIPIF--
+<?php include('skipif.inc'); ?>
+--FILE--
+<?php
+$di = new \Phalcon\DI\FactoryDefault();
+$di->setShared('security', function () {
+	$security = new \Phalcon\Security();
+	$security->setWorkFactor(12);
+	return $security;
+});
+
+var_dump($di->get('security')->checkHash('not jelly beans', 'cb7d86ece76c57eac5ed18420ca67ea0'));
+?>
+--EXPECT--
+bool(false)