Test connection always show password in log file. #101
Description
If you enable logging in a DSN, when you click on the 'Test connection' button, several log sentences include the connection string without hiding the password property.
In the drvconn.c file, the FORCE_PASSWORD_DISPLAY flag is defined:
#define FORCE_PASSWORD_DISPLAY
#define NULL_IF_NULL(a) (a ? a : "(NULL)")
So every time the flag is checked to determine if the password must be hidden, the connection string will not be hidden.
I found the following three cases:
- In
PGAPI_DriverConnectmethod:
#ifdef FORCE_PASSWORD_DISPLAY
MYLOG(0, "**** fDriverCompletion=%d, connStrIn='%s'\n", fDriverCompletion, connStrIn);
#else
if (get_mylog())
{
char *hide_str = hide_password(connStrIn);
MYLOG(0, "**** fDriverCompletion=%d, connStrIn='%s'\n", fDriverCompletion, NULL_IF_NULL(hide_str));
if (hide_str)
free(hide_str);
}
#endif /* FORCE_PASSWORD_DISPLAY */
- Also, the following code appears in the same method
#ifdef FORCE_PASSWORD_DISPLAY
if (cbConnStrOutMax > 0)
{
MYLOG(0, "szConnStrOut = '%s' len=" FORMAT_SSIZE_T ",%d\n", NULL_IF_NULL((char *) szConnStrOut), len, cbConnStrOutMax);
}
#else
if (get_mylog())
{
char *hide_str = NULL;
if (cbConnStrOutMax > 0)
hide_str = hide_password(szConnStrOut);
MYLOG(0, "szConnStrOut = '%s' len=%d,%d\n", NULL_IF_NULL(hide_str), len, cbConnStrOutMax);
if (hide_str)
free(hide_str);
}
#endif /* FORCE_PASSWORD_DISPLAY */
- And the last occurrence can be found in
dconn_get_attributesmethod:
#ifdef FORCE_PASSWORD_DISPLAY
MYLOG(0, "our_connect_string = '%s'\n", our_connect_string);
#else
if (get_mylog())
{
char *hide_str = hide_password(our_connect_string);
MYLOG(0, "our_connect_string = '%s'\n", hide_str);
free(hide_str);
}
#endif /* FORCE_PASSWORD_DISPLAY */
I assume that this is not the expected behavior.
- Maybe the password could be shown only at a certain log level.
What do you think?
Regard,
Carlos