Item12641: DatabasePlugin leaks password if database connect fails

pencil
Priority: Urgent
Current State: Confirmed
Released In: n/a
Target Release:
Applies To: Extension
Component: DatabasePlugin
Branches:
Reported By: PhilippGortan
Waiting For:
Last Change By: GeorgeClark
I'm using DatabasePlugin to connect to a MySQL database. If the database is down for some reason, any page that contains a %DATABASE_SQL% macro will fail with:

DBI connect('xxx','xxx',...) failed: Can't connect to MySQL server on 'jira.apa.at' (110) at /appl/foswiki/foswiki/lib/Foswiki/Plugins/DatabasePlugin/Connection.pm line 31 at /usr/lib64/perl5/vendor_perl/5.8.8/x86_64-linux-thread-multi/DBI.pm line 637 DBI::__ANON__('undef', 'undef') called at /usr/lib64/perl5/vendor_perl/5.8.8/x86_64-linux-thread-multi/DBI.pm line 689 DBI::connect('DBI', 'xxx', 'xxx', 'PASSWORD', 'HASH(0x2ace4edb5900)') called at ...

Note that the second line contains the database password in plain text.

Installation is foswiki version 1.1.8 with DatabasePlugin version "Dakar".

-- PhilippGortan

Try SqlPlugin as long as DatabasePlugin isn't fixed yet.

-- MichaelDaum - 07 Nov 2013

Switched to that - thanks for the hint!

-- PhilippGortan - 07 Nov 2013

ItemTemplate edit

Summary DatabasePlugin leaks password if database connect fails
ReportedBy PhilippGortan
Codebase 1.1.8
SVN Range
AppliesTo Extension
Component DatabasePlugin
Priority Urgent
CurrentState Confirmed
WaitingFor
Checkins
ReleasedIn n/a
CheckinsOnBranches
trunkCheckins
masterCheckins
ItemBranchCheckins
Release01x01Checkins
Topic revision: r4 - 24 Dec 2014, GeorgeClark
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License    Legal Imprint    Privacy Policy