search

qgis / qgis4.0_api

Tracker for QGIS 4.0 API related issues and developer discussion
3 stars 1 forks source link

Avoid automatic expandAuthConfig in QgsDataSourceUri::connectionInfo() and uri() #100

Open rouault opened 4 years ago

rouault commented 4 years ago

I just realized that the WFS provider automatically expanded authentication configuration with basic authentication to username & password in the URI, which can then leak in a project file. This is fundamentally due to QgsDataSourceUri::uri() (same issue with connectionInfo()) having a default bool expandAuthConfig = true parameter. For a security related functionality depending on such implicit behaviour is rather dangerous. A few possibilities I can see:

  1. Change default value to false
  2. Remove this parameter and make the behaviour be equivalent to expandAuthConfig = false, and add, if needed, uriExpandAuthConfig() and connectionExpandAuthConfig()
luipir commented 4 years ago

super agree...

m-kuhn commented 4 years ago
  1. Remove this parameter and make the behaviour be equivalent to expandAuthConfig = false, and add, if needed, uriExpandAuthConfig() and connectionExpandAuthConfig()

:+1: