diff options
| author | Max <max@nextcloud.com> | 2023-03-01 13:03:47 +0100 |
|---|---|---|
| committer | Max <max@nextcloud.com> | 2023-03-01 13:03:47 +0100 |
| commit | 95a674e238eaf2685b85709ec233f6241abbc548 (patch) | |
| tree | 66845105aa1a976d0e8c7d62b7eaec5d3bfcb1e8 | |
| parent | 416efc12d6a0e535468082dfb9f88c17b7050236 (diff) | |
| download | nextcloud-server-95a674e238eaf2685b85709ec233f6241abbc548.tar.gz nextcloud-server-95a674e238eaf2685b85709ec233f6241abbc548.zip | |
fix: treat text app session parameters as sensitive values
* `PublicSessionController create` receives a share token.
* The others receive the parameters for a text session:
`document_id`, `session_id`, `session_token`.
Even though these are relatively short lived
they could be used to retrieve content from the document when leaked.
Signed-off-by: Max <max@nextcloud.com>
| -rw-r--r-- | lib/private/Log/ExceptionSerializer.php | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/lib/private/Log/ExceptionSerializer.php b/lib/private/Log/ExceptionSerializer.php index 5f806be0ae5..78843de7206 100644 --- a/lib/private/Log/ExceptionSerializer.php +++ b/lib/private/Log/ExceptionSerializer.php @@ -100,6 +100,16 @@ class ExceptionSerializer { // Preview providers, don't log big data strings 'imagecreatefromstring', + + // text: PublicSessionController, SessionController and ApiService + 'create', + 'close', + 'push', + 'sync', + 'updateSession', + 'mention', + 'loginSessionUser', + ]; /** @var SystemConfig */ |