diff options
| author | Lucas Azevedo <lhs_azevedo@hotmail.com> | 2023-08-24 11:19:50 -0300 |
|---|---|---|
| committer | Lucas Azevedo <lhs_azevedo@hotmail.com> | 2023-08-24 11:20:35 -0300 |
| commit | ca101b2dbef60bd9a56d5832fdee29e147e80519 (patch) | |
| tree | e34b568ae00cb331e6f71ffdf8d88d26ee2cb34f /core/Command | |
| parent | 7d05d1f604ad10b6bd2065299a983f7b2c514cd6 (diff) | |
| download | nextcloud-server-ca101b2dbef60bd9a56d5832fdee29e147e80519.tar.gz nextcloud-server-ca101b2dbef60bd9a56d5832fdee29e147e80519.zip | |
Filter out sensitive fields in user:auth-tokens
PublicKeyToken::jsonSerialize() already explicitly lists allowed fields,
we are adding a second guard here to be on the safe side.
Signed-off-by: Lucas Azevedo <lhs_azevedo@hotmail.com>
Diffstat (limited to 'core/Command')
| -rw-r--r-- | core/Command/User/AuthTokens.php | 11 |
1 files changed, 10 insertions, 1 deletions
diff --git a/core/Command/User/AuthTokens.php b/core/Command/User/AuthTokens.php index 0555cdfeab3..43fa687781e 100644 --- a/core/Command/User/AuthTokens.php +++ b/core/Command/User/AuthTokens.php @@ -61,7 +61,16 @@ class AuthTokens extends Base { $tokens = $this->tokenProvider->getTokenByUser($user->getUID()); - $data = array_map(fn (IToken $token): mixed => $token->jsonSerialize(), $tokens); + $data = array_map(function (IToken $token): mixed { + $filtered = [ + 'password', + 'password_hash', + 'token', + 'public_key', + 'private_key', + ]; + return array_diff_key($token->jsonSerialize(), array_flip($filtered)); + }, $tokens); $this->writeArrayInOutputFormat($input, $output, $data); |