diff options
author | Jason M. Bills <jason.m.bills@intel.com> | 2023-08-31 01:19:41 +0300 |
---|---|---|
committer | Ed Tanous <ed@tanous.net> | 2023-09-01 18:58:18 +0300 |
commit | 9bd80831179c07e24694d23e202147df10f7a712 (patch) | |
tree | cc609899f8c672e211bc0de9cea793ddd79e909e | |
parent | b3e86cb08a818a31760ede5abf7b1ba5c13bb8bb (diff) | |
download | bmcweb-9bd80831179c07e24694d23e202147df10f7a712.tar.xz |
Don't return failed password in Redfish error response
Even though the password failed, it's not great to return it in plain
text in the Redfish error response (which is also displayed in a toast
pop-up in webui-vue). This replaces the password text with null in the
Redfish response to protect the password content.
Tested:
Set a bad password for a new user and an existing user and confirmed
that the provided password text is no longer included in the error
response.
Change-Id: I1882667396006861c2211dbe27b554dd5a32c122
Signed-off-by: Jason M. Bills <jason.m.bills@intel.com>
-rw-r--r-- | redfish-core/lib/account_service.hpp | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/redfish-core/lib/account_service.hpp b/redfish-core/lib/account_service.hpp index 298cb837c9..dc21ff96d7 100644 --- a/redfish-core/lib/account_service.hpp +++ b/redfish-core/lib/account_service.hpp @@ -1332,8 +1332,8 @@ inline void updateUserProperties( else if (retval == PAM_AUTHTOK_ERR) { // If password is invalid - messages::propertyValueFormatError(asyncResp->res, - *password, "Password"); + messages::propertyValueFormatError(asyncResp->res, nullptr, + "Password"); BMCWEB_LOG_ERROR("pamUpdatePassword Failed"); } else if (retval != PAM_SUCCESS) @@ -1789,7 +1789,7 @@ inline void processAfterCreateUser( } // If password is invalid - messages::propertyValueFormatError(asyncResp->res, password, + messages::propertyValueFormatError(asyncResp->res, nullptr, "Password"); }, "xyz.openbmc_project.User.Manager", userPath, |