mirror of
https://github.com/bitwarden/browser.git
synced 2024-11-21 11:35:34 +01:00
Remove password options from serve
unlock (#5601)
These options are no longer considered safe as the file location or environment variable could be guessed by an attacker.
This commit is contained in:
parent
19d2b2594c
commit
a2b290a31e
@ -245,6 +245,10 @@ export class ServeCommand {
|
||||
});
|
||||
|
||||
router.post("/unlock", async (ctx, next) => {
|
||||
// Do not allow guessing password location through serve command
|
||||
delete ctx.request.query.passwordFile;
|
||||
delete ctx.request.query.passwordEnv;
|
||||
|
||||
const response = await this.unlockCommand.run(
|
||||
ctx.request.body.password == null ? null : (ctx.request.body.password as string),
|
||||
ctx.request.query
|
||||
|
Loading…
Reference in New Issue
Block a user