Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
It doesn't seem right that an arbitrary caller can disable that setting on an existing connection.
This doesn't seem like a security vulnerability, because any code that can call that method can probably also retrieve the password via reflection. (There may be the possibility of inadvertent disclosure via logs if some component happened to be logging connection strings?)
Steps to reproduce
var connection = new NpgsqlConnection("server=localhost;user id=root;password=test"); connection.Open(); // prints Host=localhost;Username=root Console.WriteLine(connection.ConnectionString); var connection2 = connection.CloneWith("PersistSecurityInfo=true;"); // prints Persist Security Info=True;Password=test Console.WriteLine(connection2.ConnectionString);
Further technical details
Npgsql version: 4.1.1
I'm not sure exactly what I think about this... As you wrote,
Do you (or @YohDeadfall) have an actual scenario in mind?