summary refs log tree commit diff
path: root/synapse/rest/client
diff options
context:
space:
mode:
authorPatrick Cloke <clokep@users.noreply.github.com>2023-09-08 08:57:56 -0400
committerGitHub <noreply@github.com>2023-09-08 08:57:56 -0400
commit69b74d9330e42fc91a9c7423d00a06cd6d3732bf (patch)
tree7140c417741cea23e32ac1ac6cd05d907bbf60b4 /synapse/rest/client
parentRaise setuptools_rust version cap to 1.7.0 (#16277) (diff)
downloadsynapse-69b74d9330e42fc91a9c7423d00a06cd6d3732bf.tar.xz
Avoid temporary storage of sensitive information. (#16272)
During the UI auth process, avoid storing sensitive information
into the database.
Diffstat (limited to 'synapse/rest/client')
-rw-r--r--synapse/rest/client/account.py4
1 files changed, 2 insertions, 2 deletions
diff --git a/synapse/rest/client/account.py b/synapse/rest/client/account.py
index 196b292890..49cd0805fd 100644
--- a/synapse/rest/client/account.py
+++ b/synapse/rest/client/account.py
@@ -186,7 +186,7 @@ class PasswordRestServlet(RestServlet):
                 params, session_id = await self.auth_handler.validate_user_via_ui_auth(
                     requester,
                     request,
-                    body.dict(exclude_unset=True),
+                    body.dict(exclude_unset=True, exclude={"new_password"}),
                     "modify your account password",
                 )
                 user_id = requester.user.to_string()
@@ -194,7 +194,7 @@ class PasswordRestServlet(RestServlet):
                 result, params, session_id = await self.auth_handler.check_ui_auth(
                     [[LoginType.EMAIL_IDENTITY]],
                     request,
-                    body.dict(exclude_unset=True),
+                    body.dict(exclude_unset=True, exclude={"new_password"}),
                     "modify your account password",
                 )