From d3bccf9647d1adc176c00dd56eddd839646834f2 Mon Sep 17 00:00:00 2001
From: Robin Appelman <robin@icewind.nl>
Date: Fri, 8 May 2026 16:33:18 +0200
Subject: [PATCH 1/2] fix: don't put hashed password in share api response

Signed-off-by: Robin Appelman <robin@icewind.nl>
---
 .../lib/Controller/ShareAPIController.php              | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/apps/files_sharing/lib/Controller/ShareAPIController.php b/apps/files_sharing/lib/Controller/ShareAPIController.php
index 355a596526729..d442665248d9c 100644
--- a/apps/files_sharing/lib/Controller/ShareAPIController.php
+++ b/apps/files_sharing/lib/Controller/ShareAPIController.php
@@ -271,10 +271,10 @@ protected function formatShare(IShare $share, ?Node $recipientNode = null): arra
 
 			// "share_with" and "share_with_displayname" for passwords of link
 			// shares was deprecated in Nextcloud 15, use "password" instead.
-			$result['share_with'] = $share->getPassword();
+			$result['share_with'] = $this->formatPasswordField($share->getPassword());
 			$result['share_with_displayname'] = '(' . $this->l->t('Shared link') . ')';
 
-			$result['password'] = $share->getPassword();
+			$result['password'] = $this->formatPasswordField($share->getPassword());
 
 			$result['send_password_by_talk'] = $share->getSendPasswordByTalk();
 
@@ -290,7 +290,7 @@ protected function formatShare(IShare $share, ?Node $recipientNode = null): arra
 			$result['token'] = $token;
 		} elseif ($share->getShareType() === IShare::TYPE_EMAIL) {
 			$result['share_with'] = $share->getSharedWith();
-			$result['password'] = $share->getPassword();
+			$result['password'] = $this->formatPasswordField($share->getPassword());
 			$result['password_expiration_time'] = $share->getPasswordExpirationTime() !== null ? $share->getPasswordExpirationTime()->format(\DateTime::ATOM) : null;
 			$result['send_password_by_talk'] = $share->getSendPasswordByTalk();
 			$result['share_with_displayname'] = $this->getDisplayNameFromAddressBook($share->getSharedWith(), 'EMAIL');
@@ -359,6 +359,10 @@ protected function formatShare(IShare $share, ?Node $recipientNode = null): arra
 		return $result;
 	}
 
+	private function formatPasswordField(?string $password): ?string {
+		return ($password === null) ? null : 'redacted';
+	}
+
 	/**
 	 * Check if one of the users address books knows the exact property, if
 	 * not we return the full name.

From d11fb91a892f558edcae09142941e469bb13d35a Mon Sep 17 00:00:00 2001
From: Robin Appelman <robin@icewind.nl>
Date: Fri, 8 May 2026 16:42:45 +0200
Subject: [PATCH 2/2] test: adjust tests redacted password field

Signed-off-by: Robin Appelman <robin@icewind.nl>
---
 .../tests/Controller/ShareAPIControllerTest.php  | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/apps/files_sharing/tests/Controller/ShareAPIControllerTest.php b/apps/files_sharing/tests/Controller/ShareAPIControllerTest.php
index 65186f0b57151..f1a6806a11887 100644
--- a/apps/files_sharing/tests/Controller/ShareAPIControllerTest.php
+++ b/apps/files_sharing/tests/Controller/ShareAPIControllerTest.php
@@ -796,8 +796,8 @@ public function dataGetShare() {
 		$expected = [
 			'id' => 101,
 			'share_type' => IShare::TYPE_LINK,
-			'password' => 'password',
-			'share_with' => 'password',
+			'password' => 'redacted',
+			'share_with' => 'redacted',
 			'share_with_displayname' => '(Shared link)',
 			'send_password_by_talk' => false,
 			'uid_owner' => 'initiatorId',
@@ -4380,8 +4380,8 @@ public function dataFormatShare() {
 				'file_source' => 3,
 				'file_parent' => 1,
 				'file_target' => 'myTarget',
-				'password' => 'mypassword',
-				'share_with' => 'mypassword',
+				'password' => 'redacted',
+				'share_with' => 'redacted',
 				'share_with_displayname' => '(Shared link)',
 				'send_password_by_talk' => false,
 				'mail_send' => 0,
@@ -4439,8 +4439,8 @@ public function dataFormatShare() {
 				'file_source' => 3,
 				'file_parent' => 1,
 				'file_target' => 'myTarget',
-				'password' => 'mypassword',
-				'share_with' => 'mypassword',
+				'password' => 'redacted',
+				'share_with' => 'redacted',
 				'share_with_displayname' => '(Shared link)',
 				'send_password_by_talk' => true,
 				'mail_send' => 0,
@@ -4784,7 +4784,7 @@ public function dataFormatShare() {
 				'mail_send' => 0,
 				'mimetype' => 'myFolderMimeType',
 				'has_preview' => false,
-				'password' => 'password',
+				'password' => 'redacted',
 				'send_password_by_talk' => false,
 				'hide_download' => 0,
 				'can_edit' => false,
@@ -4840,7 +4840,7 @@ public function dataFormatShare() {
 				'mail_send' => 0,
 				'mimetype' => 'myFolderMimeType',
 				'has_preview' => false,
-				'password' => 'password',
+				'password' => 'redacted',
 				'send_password_by_talk' => true,
 				'hide_download' => 0,
 				'can_edit' => false,