fix: FTP password exposed in maskSecrets() / mergeExistingSecrets() #185
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Summary
The
maskSecrets()andmergeExistingSecrets()methods in the AjaxController mask SFTP, S3, and Google Drive credentials but do NOT mask the FTP password field. FTP credentials are exposed in cleartext via AJAX responses when loading remote destination config.Location
src/Controller/AjaxController.php—maskSecrets()andmergeExistingSecrets()methodsFix
Add
ftp_passwordto the list of masked fields alongsidesftp_password,sftp_key_data,sftp_passphrase,s3_secret_key, andgoogle_drive_client_secret.Branch created:
feature/185-fix-ftp-password-exposed-in-masksecrets-Closing as a duplicate of #169.
Both describe the same gap —
maskSecrets()/mergeExistingSecrets()inAjaxController.phpomit anftpentry, so a stored FTP remote's password is returned unmasked. #169 is earlier and more precisely matches the code: the$secretsmap is keyed per-type by short field names (fix is'ftp' => ['password']), not a flatftp_passwordfield. Consolidating tracking on #169.