From 888a5d4812c97a818c4cc041a3f97aae8bd81afc Mon Sep 17 00:00:00 2001
From: Andrew Lytvynov <awly@tailscale.com>
Date: Fri, 14 Nov 2025 12:58:53 -0800
Subject: [PATCH] ipn/localapi: use constant-time comparison for
 RequiredPassword (#17906)

Updates #cleanup

Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
---
 ipn/localapi/localapi.go | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/ipn/localapi/localapi.go b/ipn/localapi/localapi.go
index 9e7c16891..de5ff53ac 100644
--- a/ipn/localapi/localapi.go
+++ b/ipn/localapi/localapi.go
@@ -7,6 +7,7 @@ package localapi
 import (
 	"bytes"
 	"cmp"
+	"crypto/subtle"
 	"encoding/json"
 	"errors"
 	"fmt"
@@ -257,7 +258,7 @@ func (h *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 			http.Error(w, "auth required", http.StatusUnauthorized)
 			return
 		}
-		if pass != h.RequiredPassword {
+		if subtle.ConstantTimeCompare([]byte(pass), []byte(h.RequiredPassword)) == 0 {
 			metricInvalidRequests.Add(1)
 			http.Error(w, "bad password", http.StatusForbidden)
 			return