From cd874cda93fd724bf15863b4f74e04a71501feae Mon Sep 17 00:00:00 2001
From: Gabe Kangas <gabek@real-ity.com>
Date: Fri, 23 Dec 2022 21:26:08 -0800
Subject: [PATCH] Use subtle.ConstantTimeCompare instead of simple string
 compare. Closes #2489

---
 core/rtmp/utils.go | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/core/rtmp/utils.go b/core/rtmp/utils.go
index 8e0a67f32..3c0614601 100644
--- a/core/rtmp/utils.go
+++ b/core/rtmp/utils.go
@@ -1,6 +1,7 @@
 package rtmp
 
 import (
+	"crypto/subtle"
 	"encoding/json"
 	"errors"
 	"fmt"
@@ -89,5 +90,7 @@ func secretMatch(configStreamKey string, path string) bool {
 	}
 
 	streamingKey := path[len(prefix):] // Remove $prefix
-	return streamingKey == configStreamKey
+
+	matches := subtle.ConstantTimeCompare([]byte(streamingKey), []byte(configStreamKey)) == 1
+	return matches
 }