From 58a342a51b74ff5b38186df5a1c68d28e9ab42e8 Mon Sep 17 00:00:00 2001 From: Matt Irvine Date: Tue, 18 Jul 2017 13:40:26 -0700 Subject: [PATCH] Use proper SecureString construction to avoid empty password issues (#417) --- .../Admin/AdminService.cs | 23 ++++++++----------- 1 file changed, 10 insertions(+), 13 deletions(-) diff --git a/src/Microsoft.SqlTools.ServiceLayer/Admin/AdminService.cs b/src/Microsoft.SqlTools.ServiceLayer/Admin/AdminService.cs index 85ea46f7..efeccefc 100644 --- a/src/Microsoft.SqlTools.ServiceLayer/Admin/AdminService.cs +++ b/src/Microsoft.SqlTools.ServiceLayer/Admin/AdminService.cs @@ -175,25 +175,22 @@ namespace Microsoft.SqlTools.ServiceLayer.Admin internal static DatabaseTaskHelper CreateDatabaseTaskHelper(ConnectionInfo connInfo, bool databaseExists = false) { XmlDocument xmlDoc = CreateDataContainerDocument(connInfo, databaseExists); - char[] passwordArray = connInfo.ConnectionDetails.Password.ToCharArray(); CDataContainer dataContainer; // check if the connection is using SQL Auth or Integrated Auth if (string.Equals(connInfo.ConnectionDetails.AuthenticationType, "SqlLogin", StringComparison.OrdinalIgnoreCase)) { - unsafe - { - fixed (char* passwordPtr = passwordArray) - { - dataContainer = new CDataContainer( - CDataContainer.ServerType.SQL, - connInfo.ConnectionDetails.ServerName, - false, - connInfo.ConnectionDetails.UserName, - new System.Security.SecureString(passwordPtr, passwordArray.Length), - xmlDoc.InnerXml); - } + var passwordSecureString = new System.Security.SecureString(); + foreach (char c in connInfo.ConnectionDetails.Password) { + passwordSecureString.AppendChar(c); } + dataContainer = new CDataContainer( + CDataContainer.ServerType.SQL, + connInfo.ConnectionDetails.ServerName, + false, + connInfo.ConnectionDetails.UserName, + passwordSecureString, + xmlDoc.InnerXml); } else {