HikariCP icon indicating copy to clipboard operation
HikariCP copied to clipboard

Published 20 hours ago verified publisher icon brettwooldridge

Incorrect URL sanitation

Open alexcom opened this issue 4 years ago • 2 comments

DriverDataSource class contains this line:

String sanitizedUrl = jdbcUrl.replaceAll("([?&;]password=)[^&#;]*(.*)", "$1<masked>$2");

Recently I stumbled upon issue with passwords containing for example semicolon. When driver is not found I see in the exception message that only half of the password was masked. Verified that this line is still in current dev branch.

Environment

HikariCP version: 3.4.0
JDK version     : 12
Database        : MS SQL
Driver version  : 7.2.0

alexcom avatar Nov 19 '19 13:11 alexcom

Today I've got some evidence that semicolon in password could lead to connection failure. Probably issue exists not only in this exception message sanitation code but in JDBC URL handling code as well.

alexcom avatar Nov 20 '19 15:11 alexcom

Can you resolve the problem?

ranqiqiang avatar Nov 30 '21 06:11 ranqiqiang