Security/Privacy Bug Fix: SQL command collection off by default [change in behavior] #1690
Comments
|
@TimothyMothra Lets mention explicitly that this only affects .NET Core apps. For .NET Framework, SQL command was not collected by default and required additional steps. |
|
https://github.com/microsoft/ApplicationInsights-Announcements/issues - we can announce it here instead of a blog post? |
This does affect the .NET Framework as well, since the SQL Command can now be collected when using the |
|
I meant "Off by default" is a new behavior for .NET Core. For .NET Framework, it was always "Off by default". Agree that doc should cover the new way to turn on SQL Text for .NET Framework. |
|
It's on by default in the .NET Framework if you use the latest release of the Microsoft.Data.SqlClient libs. It's why I submitted #1723 |
|
@stebet This shows the default value is false? |
|
Yeah, my point was that before this change, if you referenced Microsoft.Data.SqlClient, you will get full SQL statements on .NET Framework, so this will affect those scenarios as well, even if they were just recently possible. |
|
Got it. Thanks for clarifying. |
|
Just an update, @ank3it is working on public announcements about this issue. I'm working on the release and this will be published to NuGet this week. :) |
|
TODO:
|
|
Reopening this. @cijothomas, @ank3it lets discuss in our next standup |
We're introducing a new change in 2.14 which will disable the collection SQL command text by default.
We understand this will likely be a breaking change for many customers, but this is being addressed as a security and privacy bug fix.
This will be introduced in 2.14-Beta1 and the stable release will be early April.
Before then we MUST update public documentation and add a post on our Announcements repo.
We will discuss with PMs to consider a blog post about this breaking change.
The text was updated successfully, but these errors were encountered: