Bug 88232 - UI - provide an option to hide JDBC URL and connection parameters in status bar
Summary: UI - provide an option to hide JDBC URL and connection parameters in status bar
Status: NEEDINFO
Alias: None
Product: LibreOffice
Classification: Unclassified
Component: Database (show other bugs)
Version: 4.4.0.1 rc
Hardware: Other All
: medium normal
Assignee: Not Assigned
QA Contact:
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-01-09 11:32 UTC by cpohle
Modified: 2015-01-09 20:13 UTC (History)
1 user (show)

See Also:
i915 platform:
i915 features:


Attachments
Display of the full JDBC connection string in Base's status bar (16.15 KB, image/png)
2015-01-09 11:32 UTC, cpohle
Details
db connection parameters (43.16 KB, image/png)
2015-01-09 14:28 UTC, Alex Thurgood
Details

Description cpohle 2015-01-09 11:32:16 UTC
Created attachment 112003 [details]
Display of the full JDBC connection string in Base's status bar

Sometimes it is appropriate to store the password for a database connection as part of the JDBC connection string, so the user with (ideally legitimate) access to an odb-file can query a remote database without the need to supply the password.

However, LO Base prints the full JDBC connection string in the application window's status bar, so other people passing by the screen are able to read the cleartext password (see the attached screenshot).

Though that would not provide any "real" security, this information disclosure seems not necessary. As a solution, there should be a setting allowing a user to disable the display of the JDBC connection string at all, or any sensitive information like password and possibly user name should be obfuscated in the status bar, e.g. by printing just a "*" instead.
Comment 1 Alex Thurgood 2015-01-09 14:28:28 UTC
Created attachment 112010 [details]
db connection parameters
Comment 2 Alex Thurgood 2015-01-09 14:29:27 UTC
Can not reproduce on my masterbuild on OSX 10.10.1

using build 

Version: 4.5.0.0.alpha0+
Build ID: 9dbac35b1e55c49b2f1e595f4dfe3437c3fedb58
Locale: fr_
Comment 3 Alex Thurgood 2015-01-09 14:34:10 UTC
As you can see from the attached screenshot, the only string I see is the db name followed by any optional connection parameters. You should not be putting id and password combos directly in here, but rather use the separate dialog provided for that purpose.

@cpohle : please provide jdbc connector version (just in case it makes a difference, but I doubt it), and please tell us how you set up your connection to the db - I'm assuming via the wizard ? 

Setting to NEEDINFO pending requested information.

Please set back to UNCONFIRMED once you have provided the requested information.
Comment 4 Alex Thurgood 2015-01-09 14:37:01 UTC
At best, this might be considered as a request for enhancement, but I doubt the rationale and development effort in providing a UI switch to turn on/off the display of the string in the main db window for someone who has hard coded the pwd/id combo into the connection string. However, I'm not a developer.
Comment 5 Alex Thurgood 2015-01-09 14:38:48 UTC
Changing title to reflect the request as I understand it from initial posting.
Comment 6 Alex Thurgood 2015-01-09 14:41:16 UTC
I notice from your screen shot that you are accessing the mysql db via the general jdbc setup rather than the mysql(jdbc) setup. Why ?
Comment 7 Alex Thurgood 2015-01-09 14:42:36 UTC
Since we have a separate UI for creating a mysql jdbc connector, I'm wondering whether this is even a valid request.
Comment 8 Alex Thurgood 2015-01-09 14:43:02 UTC
(In reply to Alex Thurgood from comment #7)
> Since we have a separate UI for creating a mysql jdbc connector  connection, I'm
> wondering whether this is even a valid request.
Comment 9 cpohle 2015-01-09 20:00:29 UTC
(In reply to Alex Thurgood from comment #3)
> As you can see from the attached screenshot, the only string I see is the db
> name followed by any optional connection parameters. You should not be
> putting id and password combos directly in here, but rather use the separate
> dialog provided for that purpose.

You're right. But to the best of my knowledge, providing authentication data as part of the connection string is the only way to prevent the user from having to enter the password everytime he want's to access the database, e.g. for grabbing an address for a mail-merge in Writer.

I understand that this approach is terrible from a security perspective, but it's viable as a compromise in certain usage scenarios (e.g. when access to the odb file can be restricted by other means).
Comment 10 cpohle 2015-01-09 20:02:40 UTC
(In reply to Alex Thurgood from comment #6)
> I notice from your screen shot that you are accessing the mysql db via the
> general jdbc setup rather than the mysql(jdbc) setup. Why ?

This setup was just used for the screenshot. We use other (commercial) db systems, for which only JDBC drivers are provided.
Comment 11 cpohle 2015-01-09 20:03:19 UTC
(In reply to Alex Thurgood from comment #7)
> Since we have a separate UI for creating a mysql jdbc connector, I'm
> wondering whether this is even a valid request.

Please see my comment #10 for a reply.
Comment 12 cpohle 2015-01-09 20:13:36 UTC
(In reply to Alex Thurgood from comment #4)
> At best, this might be considered as a request for enhancement, but I doubt
> the rationale and development effort in providing a UI switch to turn on/off
> the display of the string in the main db window for someone who has hard
> coded the pwd/id combo into the connection string. However, I'm not a
> developer.

I'm not a developer, neither. However, I think a static regex-replace against the connection string bevore displaying it in the status bar would suffice to solve this issue.


Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.