commit 9bd80831179c07e24694d23e202147df10f7a712
author Jason M. Bills <jason.m.bills@intel.com> Wed Aug 30 15:19:41 2023 -0700
committer Ed Tanous <ed@tanous.net> Fri Sep 01 15:58:18 2023 +0000
tree cc609899f8c672e211bc0de9cea793ddd79e909e
parent b3e86cb08a818a31760ede5abf7b1ba5c13bb8bb

Don't return failed password in Redfish error response

Even though the password failed, it's not great to return it in plain
text in the Redfish error response (which is also displayed in a toast
pop-up in webui-vue). This replaces the password text with null in the
Redfish response to protect the password content.

Tested:
Set a bad password for a new user and an existing user and confirmed
that the provided password text is no longer included in the error
response.

Change-Id: I1882667396006861c2211dbe27b554dd5a32c122
Signed-off-by: Jason M. Bills <jason.m.bills@intel.com>

redfish-core/lib/account_service.hpp

diff --git a/redfish-core/lib/account_service.hpp b/redfish-core/lib/account_service.hpp
index 298cb83..dc21ff9 100644
--- a/redfish-core/lib/account_service.hpp
+++ b/redfish-core/lib/account_service.hpp
@@ -1332,8 +1332,8 @@
                 else if (retval == PAM_AUTHTOK_ERR)
                 {
                     // If password is invalid
-                    messages::propertyValueFormatError(asyncResp->res,
-                                                       *password, "Password");
+                    messages::propertyValueFormatError(asyncResp->res, nullptr,
+                                                       "Password");
                     BMCWEB_LOG_ERROR("pamUpdatePassword Failed");
                 }
                 else if (retval != PAM_SUCCESS)
@@ -1789,7 +1789,7 @@
             }
 
             // If password is invalid
-            messages::propertyValueFormatError(asyncResp->res, password,
+            messages::propertyValueFormatError(asyncResp->res, nullptr,
                                                "Password");
             },
             "xyz.openbmc_project.User.Manager", userPath,