Hide password on cloned connections. Fixes #735

Author: bgrainger

docs/content/connection-options.md

@@ -357,7 +357,7 @@ These are the other options that MySqlConnector supports. They are set to sensib
   <tr>
     <td>Persist Security Info, PersistSecurityInfo</td>
     <td>false</td>
-    <td>When set to false or no (strongly recommended), security-sensitive information, such as the password, is not returned as part of the connection if the connection is open or has ever been in an open state. Resetting the connection string resets all connection string values, including the password. Recognized values are true, false, yes, and no.</td>
+    <td>When set to <code>false</code> or no (strongly recommended), security-sensitive information, such as the password, is not returned as part of the connection string if the connection is open or has ever been in an open state. Resetting the connection string resets all connection string values, including the password. Recognized values are true, false, yes, and no.</td>
   </tr>
   <tr>
     <td>ServerRSAPublicKeyFile, Server RSA Public Key File</td>

docs/content/tutorials/migrating-from-connector-net.md

@@ -210,3 +210,4 @@ The following bugs in Connector/NET are fixed by switching to MySqlConnector. (~
 * [#97067](https://bugs.mysql.com/bug.php?id=97067): Aggregate functions on BIT(n) columns return wrong result
 * [#97300](https://bugs.mysql.com/bug.php?id=97300): `GetSchemaTable()` returns table for stored procedure with output parameters
 * [#97448](https://bugs.mysql.com/bug.php?id=97448): Connecting fails if more than one IP is found in DNS for a named host
+* [#97473](https://bugs.mysql.com/bug.php?id=97473): `MySqlConnection.Clone` discloses connection password

src/MySqlConnector/MySql.Data.MySqlClient/MySqlConnection.cs

@@ -21,7 +21,7 @@ public sealed class MySqlConnection : DbConnection
 #endif
 	{
 		public MySqlConnection()
-			: this(default)
+			: this("")
 		{
 		}
 
@@ -447,7 +447,7 @@ public override async ValueTask DisposeAsync()
 			}
 		}
 
-		public MySqlConnection Clone() => new MySqlConnection(m_connectionString);
+		public MySqlConnection Clone() => new MySqlConnection(this);
 
 #if !NETSTANDARD1_3
 		object ICloneable.Clone() => Clone();
@@ -675,6 +675,12 @@ internal void SetState(ConnectionState newState)
 			}
 		}
 
+		private MySqlConnection(MySqlConnection other)
+			: this(other.m_connectionString)
+		{
+			m_hasBeenOpened = other.m_hasBeenOpened;
+		}
+
 		private void VerifyNotDisposed()
 		{
 			if (m_isDisposed)

tests/SideBySide/ConnectionTests.cs

@@ -162,5 +162,15 @@ public void CloneIsClosed()
 			using var connection2 = (MySqlConnection) connection.Clone();
 			Assert.Equal(ConnectionState.Closed, connection2.State);
 		}
+
+		[SkippableFact(Baseline = "https://bugs.mysql.com/bug.php?id=97473")]
+		public void CloneDoesNotDisclosePassword()
+		{
+			using var connection = new MySqlConnection(AppConfig.ConnectionString);
+			connection.Open();
+			using var connection2 = (MySqlConnection) connection.Clone();
+			Assert.Equal(connection.ConnectionString, connection2.ConnectionString);
+			Assert.DoesNotContain("password", connection2.ConnectionString, StringComparison.OrdinalIgnoreCase);
+		}
 	}
 }