Skip to content

Commit af559d1

Browse files
icewind1991backportbot[bot]
authored andcommitted
fix: don't put hashed password in share api response
Signed-off-by: Robin Appelman <robin@icewind.nl>
1 parent 2c21d75 commit af559d1

1 file changed

Lines changed: 7 additions & 3 deletions

File tree

apps/files_sharing/lib/Controller/ShareAPIController.php

Lines changed: 7 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -267,10 +267,10 @@ protected function formatShare(IShare $share, ?Node $recipientNode = null): arra
267267

268268
// "share_with" and "share_with_displayname" for passwords of link
269269
// shares was deprecated in Nextcloud 15, use "password" instead.
270-
$result['share_with'] = $share->getPassword();
270+
$result['share_with'] = $this->formatPasswordField($share->getPassword());
271271
$result['share_with_displayname'] = '(' . $this->l->t('Shared link') . ')';
272272

273-
$result['password'] = $share->getPassword();
273+
$result['password'] = $this->formatPasswordField($share->getPassword());
274274

275275
$result['send_password_by_talk'] = $share->getSendPasswordByTalk();
276276

@@ -286,7 +286,7 @@ protected function formatShare(IShare $share, ?Node $recipientNode = null): arra
286286
$result['token'] = $token;
287287
} elseif ($share->getShareType() === IShare::TYPE_EMAIL) {
288288
$result['share_with'] = $share->getSharedWith();
289-
$result['password'] = $share->getPassword();
289+
$result['password'] = $this->formatPasswordField($share->getPassword());
290290
$result['password_expiration_time'] = $share->getPasswordExpirationTime() !== null ? $share->getPasswordExpirationTime()->format(\DateTime::ATOM) : null;
291291
$result['send_password_by_talk'] = $share->getSendPasswordByTalk();
292292
$result['share_with_displayname'] = $this->getDisplayNameFromAddressBook($share->getSharedWith(), 'EMAIL');
@@ -355,6 +355,10 @@ protected function formatShare(IShare $share, ?Node $recipientNode = null): arra
355355
return $result;
356356
}
357357

358+
private function formatPasswordField(?string $password): ?string {
359+
return ($password === null) ? null : 'redacted';
360+
}
361+
358362
/**
359363
* Check if one of the users address books knows the exact property, if
360364
* not we return the full name.

0 commit comments

Comments
 (0)