yogthos
commented
3 years ago This looks reasonable to me as an immediate fix. I agree that logging the password is definitely worse than the alternative. Just pushed out 1.3.1 to Clojars with the fix.
Closed whenceforth closed 3 years ago
yogthos
commented
3 years ago This looks reasonable to me as an immediate fix. I agree that logging the password is definitely worse than the alternative. Just pushed out 1.3.1 to Clojars with the fix.
An aggressive fix for issue 189
It simply replaces a non-empty string entirely, to avoid the difficulties of parsing the uri and removing only the password. (This was suggested as an option by @jysandy when creating the bug.)
While not ideal, this is better than logging a password. Can we consider showing more information in this case as a future enhancement?
Context: luminus-migrations seem to require passing a URI rather than a db-spec, so issue 189 affects all users of that library.