Item12641: DatabasePlugin leaks password if database connect fails

pencil
Priority: Urgent
Current State: Confirmed
Released In: n/a
Target Release:
Applies To: Extension
Component: DatabasePlugin
Branches:
Reported By: PhilippGortan
Waiting For:
Last Change By: GeorgeClark
I'm using DatabasePlugin to connect to a MySQL database. If the database is down for some reason, any page that contains a %DATABASE_SQL% macro will fail with:

DBI connect('xxx','xxx',...) failed: Can't connect to MySQL server on 'jira.apa.at' (110) at /appl/foswiki/foswiki/lib/Foswiki/Plugins/DatabasePlugin/Connection.pm line 31 at /usr/lib64/perl5/vendor_perl/5.8.8/x86_64-linux-thread-multi/DBI.pm line 637 DBI::__ANON__('undef', 'undef') called at /usr/lib64/perl5/vendor_perl/5.8.8/x86_64-linux-thread-multi/DBI.pm line 689 DBI::connect('DBI', 'xxx', 'xxx', 'PASSWORD', 'HASH(0x2ace4edb5900)') called at ...

Note that the second line contains the database password in plain text.

Installation is foswiki version 1.1.8 with DatabasePlugin version "Dakar".

-- PhilippGortan

Try SqlPlugin as long as DatabasePlugin isn't fixed yet.

-- MichaelDaum - 07 Nov 2013

Switched to that - thanks for the hint!

-- PhilippGortan - 07 Nov 2013

ItemTemplate edit

Summary DatabasePlugin leaks password if database connect fails
ReportedBy PhilippGortan
Codebase 1.1.8
SVN Range
AppliesTo Extension
Component DatabasePlugin
Priority Urgent
CurrentState Confirmed
WaitingFor
Checkins
ReleasedIn n/a
CheckinsOnBranches
trunkCheckins
masterCheckins
ItemBranchCheckins
Release01x01Checkins
Topic revision: r4 - 24 Dec 2014, GeorgeClark - This page was cached on 12 Nov 2018 - 21:37.

The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License    Legal Imprint    Privacy Policy