https://bugs.freedesktop.org/show_bug.cgi?id=88232
Bug ID: 88232
Summary: JDBC password disclosure in status bar
Product: LibreOffice
Version: 4.4.0.1 rc
Hardware: Other
OS: All
Status: UNCONFIRMED
Severity: normal
Priority: medium
Component: Database
Assignee: libreoffice-bugs@lists.freedesktop.org
Reporter: cpo...@gmail.com
Created attachment 112003
--> https://bugs.freedesktop.org/attachment.cgi?id=112003&action=edit
Display of the full JDBC connection string in Base's status bar
Sometimes it is appropriate to store the password for a database connection as
part of the JDBC connection string, so the user with (ideally legitimate)
access to an odb-file can query a remote database without the need to supply
the password.
However, LO Base prints the full JDBC connection string in the application
window's status bar, so other people passing by the screen are able to read the
cleartext password (see the attached screenshot).
Though that would not provide any "real" security, this information disclosure
seems not necessary. As a solution, there should be a setting allowing a user
to disable the display of the JDBC connection string at all, or any sensitive
information like password and possibly user name should be obfuscated in the
status bar, e.g. by printing just a "*" instead.
--
You are receiving this mail because:
You are the assignee for the bug.
_______________________________________________
Libreoffice-bugs mailing list
Libreoffice-bugs@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/libreoffice-bugs
