[GitHub] [kafka] rajinisivaram commented on a change in pull request #10978: MINOR: Use time constant algorithms when comparing passwords or keys

GitBox Wed, 07 Jul 2021 07:04:26 -0700


rajinisivaram commented on a change in pull request #10978:
URL: https://github.com/apache/kafka/pull/10978#discussion_r665403838




##########
File path: 
clients/src/main/java/org/apache/kafka/common/security/plain/internals/PlainServerCallbackHandler.java
##########
@@ -65,7 +65,7 @@ protected boolean authenticate(String username, char[] 
password) throws IOExcept
             String expectedPassword = 
JaasContext.configEntryOption(jaasConfigEntries,
                     JAAS_USER_PREFIX + username,
                     PlainLoginModule.class.getName());
-            return expectedPassword != null && Arrays.equals(password, 
expectedPassword.toCharArray());
+            return expectedPassword != null && Utils.isEqual(password, 
expectedPassword.toCharArray());

Review comment:
       Good point. Btw, this particular class (the default SASL/PLAIN 
server-side callback handler) is not recommended for production use, so perhaps 
not that critical.




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: jira-unsubscr...@kafka.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

[GitHub] [kafka] rajinisivaram commented on a change in pull request #10978: MINOR: Use time constant algorithms when comparing passwords or keys

Reply via email to