Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

Glimpse Configuration Tab is not masking the connection string password #288

Closed
simonebasso opened this Issue Mar 15, 2013 · 9 comments

Comments

Projects
None yet
4 participants

my connection string is in this form

Server=0.0.0.0; Database=mitcrm; User Id=netcrm; Password=clearlyvisible; Failover Partner=0.0.0.0; Application Name=Application

but the password is clearly visible while in the wiki it says it should be masked
https://github.com/Glimpse/Glimpse/wiki/Configuration-Tab

Owner

avanderhoorn commented Mar 18, 2013

This shouldn't be the base. Can you let me know what DbProvider you are using?

Owner

avanderhoorn commented Mar 18, 2013

Can you paste in here the XML fragment that you have in your config - obviously minus any sensitive details?

ah, that was exactly what I thought I did, but github did not liked my xml : )
<add name="ElmahDb" connectionString="Server=sql01.uuu; Database=xxx; User Id=yyy; Password=clearlyvisible; Failover Partner=sql02.uuu; Application Name=AppElmahDK"/>

I noticed this today on a connection string that didn't have the provider name declared. Once I added the provider name of "System.Data.SqlClient" then the connection string was masked.

I believe the appropriate behavior is to assume it is a SqlClient provider if none is specified but I can't seem to find where I read that right now.
Glimpse connection strings

Owner

avanderhoorn commented Mar 22, 2013

You are very close, we don't assume you have SqlClient but we do assume that you have a provider. Its this missing provider that is causing the issue. The reason being, that I don't try and run a parser/regex to mask things out. Instead I use a ConnectionStringBuilder to do this. Once we have the connection string builder and have run the connection string through it, we have a typed version of the connection string, thus making finding and then replacing the password easy.

@nikmd23 What is your thoughts about providing a backup strategy that will try and find the password in the case that no provider is present?

Owner

nikmd23 commented Mar 22, 2013

A backup strategy sounds flaky at best.

My question is, what are the reasons why someone would not have a provider listed? I'm also not a huge fan of calling a missing value an Error, since technically nothing is broken, we just can't show details.

Reason not to have it explicitly on the web.config is that the default value is System.Data.SqlClient
http://msdn.microsoft.com/en-us/library/system.configuration.connectionstringsettings.providername.aspx

you should default to it too if a value is not specified

Owner

nikmd23 commented Mar 22, 2013

Seems to make sense to me @simonebasso.

Any thoughts on that @avanderhoorn?

Owner

avanderhoorn commented Mar 23, 2013

I'm happy to assume System.Data.SqlClient if its not provided. I'll
switch the code over to use this.

On Sat, Mar 23, 2013 at 5:18 AM, Nik Molnar notifications@github.comwrote:

Seems to make sense to me @simonebasso https://github.com/simonebasso.

Any thoughts on that @avanderhoorn https://github.com/avanderhoorn?


Reply to this email directly or view it on GitHubhttps://github.com/Glimpse/Glimpse/issues/288#issuecomment-15316276
.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment