This is an automated email from the ASF dual-hosted git repository.
mmarshall pushed a commit to branch branch-3.1
in repository https://gitbox.apache.org/repos/asf/pulsar.git
The following commit(s) were added to refs/heads/branch-3.1 by this push:
new c27beca64cc [fix][broker] Use MessageDigest.isEqual when comparing
digests (#21061)
c27beca64cc is described below
commit c27beca64cc93848c40a374f19eaf4d3cc4f4f03
Author: Yiheng Cao <[email protected]>
AuthorDate: Fri Aug 25 00:41:32 2023 +0800
[fix][broker] Use MessageDigest.isEqual when comparing digests (#21061)
(cherry picked from commit c05954e66ff33098aeb848f4bde51613ace7e47e)
---
.../org/apache/pulsar/broker/authentication/SaslRoleTokenSigner.java | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git
a/pulsar-broker-auth-sasl/src/main/java/org/apache/pulsar/broker/authentication/SaslRoleTokenSigner.java
b/pulsar-broker-auth-sasl/src/main/java/org/apache/pulsar/broker/authentication/SaslRoleTokenSigner.java
index c979566e485..82f760e14b7 100644
---
a/pulsar-broker-auth-sasl/src/main/java/org/apache/pulsar/broker/authentication/SaslRoleTokenSigner.java
+++
b/pulsar-broker-auth-sasl/src/main/java/org/apache/pulsar/broker/authentication/SaslRoleTokenSigner.java
@@ -76,7 +76,7 @@ public class SaslRoleTokenSigner {
String originalSignature = signedStr.substring(index +
SIGNATURE.length());
String rawValue = signedStr.substring(0, index);
String currentSignature = computeSignature(rawValue);
- if (!originalSignature.equals(currentSignature)) {
+ if (!MessageDigest.isEqual(originalSignature.getBytes(),
currentSignature.getBytes())){
throw new AuthenticationException("Invalid signature");
}
return rawValue;
