Closed rsutphin closed 12 years ago
@dbussink @dkubb Are you in agreement we should elide this information from our logging?
Yeah, we should not output this information in exceptions etc. so we should fix this behavior.
definitely this info should stay away from log files !
@myabc I agree, we definitely should not display this information in exception output.
The question is, where should the change be made and who should make it? @dbussink and @myabc, are you able to change the C and Java drivers respectively, or would someone else be better for making these changes?
This only half-fixes the issue. In @rsutphin's original report, uri
contained:
postgres:mdes_warehouse:ACTUAL_PASSWORD@server:5432mdes_warehouse_working?username=mdes_warehouse&database=mdes_warehouse_working&adapter=postgres&host=server&port=5432&password=ACTUAL_PASSWORD
The first occurrence of ACTUAL_PASSWORD
is now removed, but the second one is still present, serialised by iterating through the query
attribute.
This can be fixed by changing the relevant line to
string << "?" << query.select {|k,v| k!='password' }.map do |key, value|
(I know this is seriously old code, but logging passwords is a seriously big bug. ;) )
When there's a database exception thrown DO includes the database password in the logs. Example:
I'm seeing this with DO 0.10.7 and do_postgres 0.10.7. I'm using DO within DataMapper 1.2.0. I mentioned this issue on the datamapper mailing list and it was suggested that it's a DO bug.