Created attachment 112003 [details] Display of the full JDBC connection string in Base's status bar Sometimes it is appropriate to store the password for a database connection as part of the JDBC connection string, so the user with (ideally legitimate) access to an odb-file can query a remote database without the need to supply the password. However, LO Base prints the full JDBC connection string in the application window's status bar, so other people passing by the screen are able to read the cleartext password (see the attached screenshot). Though that would not provide any "real" security, this information disclosure seems not necessary. As a solution, there should be a setting allowing a user to disable the display of the JDBC connection string at all, or any sensitive information like password and possibly user name should be obfuscated in the status bar, e.g. by printing just a "*" instead.
Created attachment 112010 [details] db connection parameters
Can not reproduce on my masterbuild on OSX 10.10.1 using build Version: 4.5.0.0.alpha0+ Build ID: 9dbac35b1e55c49b2f1e595f4dfe3437c3fedb58 Locale: fr_
As you can see from the attached screenshot, the only string I see is the db name followed by any optional connection parameters. You should not be putting id and password combos directly in here, but rather use the separate dialog provided for that purpose. @cpohle : please provide jdbc connector version (just in case it makes a difference, but I doubt it), and please tell us how you set up your connection to the db - I'm assuming via the wizard ? Setting to NEEDINFO pending requested information. Please set back to UNCONFIRMED once you have provided the requested information.
At best, this might be considered as a request for enhancement, but I doubt the rationale and development effort in providing a UI switch to turn on/off the display of the string in the main db window for someone who has hard coded the pwd/id combo into the connection string. However, I'm not a developer.
Changing title to reflect the request as I understand it from initial posting.
I notice from your screen shot that you are accessing the mysql db via the general jdbc setup rather than the mysql(jdbc) setup. Why ?
Since we have a separate UI for creating a mysql jdbc connector, I'm wondering whether this is even a valid request.
(In reply to Alex Thurgood from comment #7) > Since we have a separate UI for creating a mysql jdbc connector connection, I'm > wondering whether this is even a valid request.
(In reply to Alex Thurgood from comment #3) > As you can see from the attached screenshot, the only string I see is the db > name followed by any optional connection parameters. You should not be > putting id and password combos directly in here, but rather use the separate > dialog provided for that purpose. You're right. But to the best of my knowledge, providing authentication data as part of the connection string is the only way to prevent the user from having to enter the password everytime he want's to access the database, e.g. for grabbing an address for a mail-merge in Writer. I understand that this approach is terrible from a security perspective, but it's viable as a compromise in certain usage scenarios (e.g. when access to the odb file can be restricted by other means).
(In reply to Alex Thurgood from comment #6) > I notice from your screen shot that you are accessing the mysql db via the > general jdbc setup rather than the mysql(jdbc) setup. Why ? This setup was just used for the screenshot. We use other (commercial) db systems, for which only JDBC drivers are provided.
(In reply to Alex Thurgood from comment #7) > Since we have a separate UI for creating a mysql jdbc connector, I'm > wondering whether this is even a valid request. Please see my comment #10 for a reply.
(In reply to Alex Thurgood from comment #4) > At best, this might be considered as a request for enhancement, but I doubt > the rationale and development effort in providing a UI switch to turn on/off > the display of the string in the main db window for someone who has hard > coded the pwd/id combo into the connection string. However, I'm not a > developer. I'm not a developer, neither. However, I think a static regex-replace against the connection string bevore displaying it in the status bar would suffice to solve this issue.
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.