Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

MySqlConnection.Clone discloses connection password #735

Closed
bgrainger opened this issue Nov 4, 2019 · 1 comment
Closed

MySqlConnection.Clone discloses connection password #735

bgrainger opened this issue Nov 4, 2019 · 1 comment
Assignees
Labels

Comments

@bgrainger
Copy link
Member

By default, Persist Security Info is set to false in a connection string. According to the docs:

When set to false or no (strongly recommended), security-sensitive information, such as the password, is not returned as part of the connection string if the connection is open or has ever been in an open state.

However, by cloning an existing connection, the password can be retrieved from an open connection, violating the expectations around Persist Security Info=false. This represents a potential information disclosure vulnerability, although it seems likely that any untrusted code that could call this method could also just use reflection to access this private data.

A possible problem might be if a database access layer automatically logged the connection string when (for example) an exception occurred. Even still, this would likely only be logged for an open connection, which would redact the password from the connection string (whether cloned or not).

@bgrainger bgrainger added the bug label Nov 4, 2019
@bgrainger bgrainger self-assigned this Nov 4, 2019
@bgrainger
Copy link
Member Author

Introduced in #720.

Fixed in 0.60.4.

Also a bug in Connector/NET: https://bugs.mysql.com/bug.php?id=97473

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Development

No branches or pull requests

1 participant