Forum: Bugs and Issues

This forum is specific to reporting bugs and issues with the framework.
-10-5Prev| 3 / 49 |Next+5+10

Connectionstring visible for everyone

thread: 5 messages  |  last: a year ago  |  started: thursday, april 8, 2010, 1:34 pm pdt

 
 

#1  |  Mischa Kroon (Holland) Netherlands (Holland, Europe)
Thursday, April 8, 2010, 1:34 PM PDT

In index.php there is an:
QApplication::QcodoInfo();

If you don't remove this then your connectionstring will be visible for everyone.
I think this is something which should always be avoided.

Username + Password should never be available by default.

In my opinion this is a huge security risk.

#2  |  Mike Ho (Sunnyvale, CA) United States of America Qcodo Administrator
Monday, April 12, 2010, 2:40 PM PDT

Thanks for the catch.  Could you open up a ticket in the issue tracker?  Thanks!

#3  |  Zbyszek Czarnecki (Warsaw, PL) Poland
Thursday, April 15, 2010, 5:07 AM PDT

I went ahead and made patch for merging:
http://github.com/klucznik/qcodo/commit/10a8d47825d0ae1e68ffd6f4710af82010dd2ff2

#4  |  Mike Ho (Sunnyvale, CA) United States of America Qcodo Administrator
Friday, April 16, 2010, 1:40 PM PDT

Thanks!  Let me first figure out how this git cherry-pick thing works, and I'll get it merged in right away (along with some of the other things you sent me... =)

Thanks!

#5  |  Mike Ho (Sunnyvale, CA) United States of America Qcodo Administrator
Wednesday, April 21, 2010, 6:00 PM PDT

Thanks guys -- i've put in the patch, but made a small change.  I think (especially for diagnostic purposes) it actually is quite valuable to have the username in there.

I've also changed the password so that it's obfuscated instead of removed altogether.  So for debug/learning purposes, it's obvious that the password is actually part of the array -- it's just not showing.

Take a look and let me know what you think.


 
 

John 3:16  •  Romans 12:1-8
Copyright © 2005 - 2012, Quasidea Development, LLC
This open-source framework for PHP is released under the terms of The MIT License.