mirrors/owncast
1
0
Fork 0
mirror of https://github.com/owncast/owncast.git synced 2024-11-24 21:59:43 +03:00
Code Issues Projects Releases Packages Wiki Activity

Use subtle.ConstantTimeCompare instead of simple string compare. Closes #2489

Browse source
This commit is contained in:
Gabe Kangas 2022-12-23 21:26:08 -08:00
parent 3894f410d2
commit cd874cda93
No known key found for this signature in database
GPG key ID: 4345B2060657F330
1 changed files with 4 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
core/rtmp/utils.go
View file

@ -1,6 +1,7 @@
package rtmp package rtmp
import ( import (
"crypto/subtle"
"encoding/json" "encoding/json"
"errors" "errors"
"fmt" "fmt"
@ -89,5 +90,7 @@ func secretMatch(configStreamKey string, path string) bool {
} }
streamingKey := path[len(prefix):] // Remove $prefix streamingKey := path[len(prefix):] // Remove $prefix
return streamingKey == configStreamKey
matches := subtle.ConstantTimeCompare([]byte(streamingKey), []byte(configStreamKey)) == 1
return matches
} }