Use subtle.ConstantTimeCompare instead of simple string compare. Closes #2489

2022-12-23 21:26:08 -08:00 · 2022-12-23 21:26:08 -08:00 · cd874cda93
commit cd874cda93
parent 3894f410d2
1 changed files with 4 additions and 1 deletions
--- a/core/rtmp/utils.go
+++ b/core/rtmp/utils.go
@ -1,6 +1,7 @@
 package rtmp

 import (
+	"crypto/subtle"
 	"encoding/json"
 	"errors"
 	"fmt"
@ -89,5 +90,7 @@ func secretMatch(configStreamKey string, path string) bool {
 	}

 	streamingKey := path[len(prefix):] // Remove $prefix
-	return streamingKey == configStreamKey
+
+	matches := subtle.ConstantTimeCompare([]byte(streamingKey), []byte(configStreamKey)) == 1
+	return matches
 }