Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE: MySql password exposed on the command line #3

Closed
tetravista opened this issue Jan 12, 2018 · 2 comments
Closed

CVE: MySql password exposed on the command line #3

tetravista opened this issue Jan 12, 2018 · 2 comments

Comments

@tetravista
Copy link

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5002
@panthomakos
Copy link
Owner

This gem is a wrapper for the mysql and mysqldump command line programs. It is not intended to be used as an interface to MySQL for application code. If you have a suggestion on how to circumvent passing the password on the command line for this gem I would be happy to hear it.

I know that these CLIs will read a .my.cnf file - so a password does not need to be exposed on the command line if you don't want it to - you just need to specify the password in your .my.cnf file and this gem will respect those settings.

@panthomakos
Copy link
Owner

To circumvent this issue/confusion entirely, the latest version of this gem (v1.0.0) no longer supports a --password option. The expectation now is that passwords are only configured in a configuration file. This means it is no longer possible to expose passwords on the command line.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tetravista @panthomakos