fix(accounts-controller): fix potential vulnerability with raw passwo…

…rd saving/viewing.
flextype-plugins · Jun 26, 2020 · aaaa806 · aaaa806
1 parent f48e51d
commit aaaa806
Showing 1 changed file with 2 additions and 0 deletions.
diff --git a/app/Controllers/AccountsController.php b/app/Controllers/AccountsController.php
@@ -60,6 +60,7 @@ public function index(Request $request, Response $response, array $args) : Respo
  $_path = explode('/', $account['path']);
  $account_to_store['email'] = array_pop($_path);
 
+ Arr::delete($account, 'password');
  Arr::delete($account, 'hashed_password');
  Arr::delete($account, 'hashed_password_reset');
 
@@ -521,6 +522,7 @@ public function profile(Request $request, Response $response, array $args) : Res
  $profile['email'] = $email;
 
  Arr::delete($profile, 'uuid');
+ Arr::delete($profile, 'password');
  Arr::delete($profile, 'hashed_password');
  Arr::delete($profile, 'hashed_password_reset');
  Arr::delete($profile, 'roles');