Don't provide the password with dbconsole unless explicitly opted in.

Some operating system configurations allow other users to view your process list
or environmental variables.  This option should not be used on shared hosts.

http://dev.mysql.com/doc/refman/5.0/en/password-security.html
http://www.postgresql.org/docs/8.3/static/libpq-envars.html

1 files changed, 11 insertions, 3 deletions

diff --git a/railties/lib/commands/dbconsole.rb b/railties/lib/commands/dbconsole.rb
index b81997aa59..17acb7b68f 100644
--- a/railties/lib/commands/dbconsole.rb
+++ b/railties/lib/commands/dbconsole.rb
@@ -2,8 +2,13 @@ require 'erb'
 require 'yaml'
 require 'optparse'
 
+include_password = false
+
 OptionParser.new do |opt|
-  opt.banner = "Usage: dbconsole [environment]"
+  opt.banner = "Usage: dbconsole [options] [environment]"
+  opt.on("-p", "--include-password", "Automatically provide the database from database.yml") do |v|
+    include_password = true
+  end
   opt.parse!(ARGV)
   abort opt.to_s unless (0..1).include?(ARGV.size)
 end
@@ -31,10 +36,13 @@ when "mysql"
     'port'      => '--port',
     'socket'    => '--socket',
     'username'  => '--user',
-    'password'  => '--password',
     'encoding'  => '--default-character-set'
   }.map { |opt, arg| "#{arg}=#{config[opt]}" if config[opt] }.compact
 
+  if config['password'] && include_password
+    args << "--password=#{config['password']}"
+  end
+
   args << config['database']
 
   exec(find_cmd('mysql5', 'mysql'), *args)
@@ -43,7 +51,7 @@ when "postgresql"
   ENV['PGUSER']     = config["username"] if config["username"]
   ENV['PGHOST']     = config["host"] if config["host"]
   ENV['PGPORT']     = config["port"].to_s if config["port"]
-  ENV['PGPASSWORD'] = config["password"].to_s if config["password"]
+  ENV['PGPASSWORD'] = config["password"].to_s if config["password"] && include_password
   exec(find_cmd('psql'), config["database"])
 
 when "sqlite"