Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

wrap $password in closure to help avoid disclosure #16

Closed
bowman opened this Issue Feb 27, 2012 · 1 comment

Comments

Projects
None yet
2 participants

bowman commented Feb 27, 2012

Rose::DB wraps passwords in a closure to make them a little less likely
to be dumped by accident:

http://code.google.com/p/rose/source/browse/trunk/modules/Rose-DB/lib/Rose/DB.pm#611

It seems like a nice idea. DBI itself seems to apply similar logic,
deleting Password from %attr:

    # attributes in DSN take precedence over \%attr connect parameter
    $user = $attr->{Username} if defined $attr->{Username};
    $pass = $attr->{Password} if defined $attr->{Password};
    delete $attr->{Password}; # always delete Password as closure stores it securely

Would it be desirable and possible to add something to DBIx::Connector?
I noticed the password in a debug dump that contained $conn.

It looks like this feature would require some fiddling around with _args
to just hide the password, but wrapping the whole of _args is easy
(and passed the tests): https://gist.github.com/1921245

That wasn't too bad so I tried just allowing a wrapped password:
https://gist.github.com/1921289 (also passes test)

If either of these options look ok then I'm happy to add tests and docs
in a fork.

Brad

Owner

theory commented Feb 27, 2012

Great idea, done in 5c92244. Thanks!

@theory theory closed this Feb 27, 2012

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment