LogalDeveloper/owncast
LogalDeveloper/owncast
0
Fork 0
Code

Use subtle.ConstantTimeCompare instead of simple string compare. Closes #2489

Browse Source
This commit is contained in:
Gabe Kangas 2022-12-23 21:26:08 -08:00
parent 3894f410d2
commit cd874cda93
No known key found for this signature in database
GPG Key ID: 4345B2060657F330
1 changed files with 4 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
core/rtmp/utils.go
View File

@ -1,6 +1,7 @@
package rtmp package rtmp
import ( import (
"crypto/subtle"
"encoding/json" "encoding/json"
"errors" "errors"
"fmt" "fmt"
@ -89,5 +90,7 @@ func secretMatch(configStreamKey string, path string) bool {
} }
streamingKey := path[len(prefix):] // Remove $prefix streamingKey := path[len(prefix):] // Remove $prefix
return streamingKey == configStreamKey
matches := subtle.ConstantTimeCompare([]byte(streamingKey), []byte(configStreamKey)) == 1
return matches
} }