Security: Restore password authentication for EncodingServer

[r3352]

Summary

• The EncodingServer (port 6969) had its entire password authentication block commented out in the source code, allowing unauthenticated command execution
• Restores the original authentication logic and adds backward-compatible fallback when no password is configured

Vulnerability Details

CWE-306 (Missing Authentication for Critical Function)

EncodingServer.java:232-241 contains a password authentication check wrapped in a /* */ block comment, effectively disabling all authentication. The commented-out code was designed to check ENCODING_SERVER_PASSWORD_MD5 against the client's password. Without it, any network client can connect and issue START, STOP, TUNE, BUFFER, and SWITCH commands to control encoding hardware and specify recording output file paths.

Changes

• Restored auth logic: Removed the /* */ block comment and // line comments to re-enable password checking
• Backward compatibility: When ENCODING_SERVER_PASSWORD_MD5 is empty (default), auth is skipped — existing deployments without a configured password continue to work
• Auth failure handling: Invalid passwords trigger INVALID_PASSWORD response and connection close (via return from the handler, which triggers the finally block cleanup)
• Charset fix: Changed Sage.CHARSET to Sage.BYTE_CHARSET in auth response lines for consistency with the rest of the file

[google-cla]

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.