Item12641: DatabasePlugin leaks password if database connect fails
Priority: Urgent
Current State: Confirmed
Released In: n/a
Target Release:
I'm using
DatabasePlugin to connect to a
MySQL database. If the database is down for some reason, any page that contains a %DATABASE_SQL% macro will fail with:
DBI connect('xxx','xxx',...) failed: Can't connect to
MySQL server on 'jira.apa.at' (110) at /appl/foswiki/foswiki/lib/Foswiki/Plugins/DatabasePlugin/Connection.pm line 31 at /usr/lib64/perl5/vendor_perl/5.8.8/x86_64-linux-thread-multi/DBI.pm line 637 DBI::__ANON__('undef', 'undef') called at /usr/lib64/perl5/vendor_perl/5.8.8/x86_64-linux-thread-multi/DBI.pm line 689 DBI::connect('DBI', 'xxx', 'xxx', 'PASSWORD', 'HASH(0x2ace4edb5900)') called at ...
Note that the second line contains the database password in plain text.
Installation is foswiki version 1.1.8 with
DatabasePlugin version "Dakar".
--
PhilippGortan
Try
SqlPlugin as long as
DatabasePlugin isn't fixed yet.
--
MichaelDaum - 07 Nov 2013
Switched to that - thanks for the hint!
--
PhilippGortan - 07 Nov 2013