Re: [dtp-dev] a critical security bug

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [dtp-dev] a critical security bug

From: rcernich@xxxxxxxxxx
Date: Mon, 6 Nov 2006 09:39:46 -0700
Delivered-to: dtp-dev@xxxxxxxxxxx
List-archive: <http://eclipse.org/pipermail/dtp-dev>
List-help: <mailto:dtp-dev-request@eclipse.org?subject=help>
List-subscribe: <https://dev.eclipse.org/mailman/listinfo/dtp-dev>, <mailto:dtp-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://dev.eclipse.org/mailman/listinfo/dtp-dev>, <mailto:dtp-dev-request@eclipse.org?subject=unsubscribe>

Hey Anthos,

Sorry I missed this when I dispo'd the defect, but the file you are
referring to is the file which stores the driver information.  The uid and
pwd information there is used for default values when creating a new
connection profile (e.g. specifying the default uid/pwd for a particular
vendor's DB).  The information in the profile is what is used when opening
connections and is encrypted when saved to the file system.

I would recommend against storing user specific passwords in driver
instances (it's intended purpose was for specifying default values; e.g.
sa/<blank> or the default uid/pwd for sample db's/schemas shipped with the
server).  It was not intended to store specific uid/pwd combinations.  If
this is not acceptable, my recommendation would be to remove those
properties from your driver extension altogether.

Hope that helps.
Rob

Follow-Ups:
- Re: [dtp-dev] a critical security bug
  - From: Anil Samuel

References:
- Re: [dtp-dev] a critical security bug
  - From: rcernich

Prev by Date: Re: [dtp-dev] a critical security bug
Next by Date: Re: [dtp-dev] DTP support for SQLite DB
Previous by thread: Re: [dtp-dev] a critical security bug
Next by thread: Re: [dtp-dev] a critical security bug
Index(es):
- Date
- Thread

Breadcrumbs