[stable10] Dont't expose hashed password in ocs api

[IljaN]

Description

Don't expose hashed password in ocs api

Related Issue

• Fixes https://github.com/owncloud/security-tracker/issues/301

Motivation and Context

Mostly hardening. Attacker could brute-force the password if he knows the internal salt and instance-id

How Has This Been Tested?

• Test manually by creating and accessing password protected link in UI
• Test manually by changing password in UI
• Unit-Tests adjusted

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Database schema changes (next release will require increase of minor version instead of patch)
• Breaking change (fix or feature that would cause existing functionality to change)
• Technical debt
• Tests only (no source changes)

Checklist:

• Code changes
• Unit tests added
• Acceptance tests added
• Documentation ticket raised:

Open tasks:

• Backport (if applicable set "backport-request" label and remove when the backport was done)

[codecov]

Codecov Report

Merging #34691 into stable10 will decrease coverage by 18.97%.
The diff coverage is n/a.

@@               Coverage Diff               @@
##             stable10   #34691       +/-   ##
===============================================
- Coverage          64%   45.03%   -18.98%     
===============================================
  Files            1276      116     -1160     
  Lines           75801    11465    -64336     
  Branches         1291     1291               
===============================================
- Hits            48515     5163    -43352     
+ Misses          26907     5923    -20984     
  Partials          379      379

Flag	Coverage Δ	Complexity Δ
#javascript	53.22% <ø> (ø)	0 <ø> (ø)	⬇️
#phpunit	30.64% <ø> (-34.51%)	0 <ø> (-19247)

Impacted Files	Coverage Δ	Complexity Δ
lib/private/Files/Storage/DAV.php	59.45% <0%> (-21.64%)	0% <0%> (ø)
apps/updatenotification/templates/admin.php
lib/private/Encryption/Keys/Storage.php
lib/private/App/CodeChecker/NodeVisitor.php
lib/private/RedisFactory.php
apps/dav/lib/Avatars/AvatarNode.php
...s/dav/appinfo/Migrations/Version20170202213905.php
apps/dav/lib/Upload/ChunkLocationProvider.php
apps/files/lib/AppInfo/Application.php
apps/systemtags/list.php
... and 1151 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update ff75188...a1206cd. Read the comment docs.

[codecov]

Codecov Report

Merging #34691 into stable10 will not change coverage.
The diff coverage is 100%.

@@             Coverage Diff             @@
##             stable10   #34691   +/-   ##
===========================================
  Coverage          64%      64%           
  Complexity      19247    19247           
===========================================
  Files            1276     1276           
  Lines           75801    75801           
  Branches         1291     1291           
===========================================
  Hits            48515    48515           
  Misses          26907    26907           
  Partials          379      379

Flag	Coverage Δ	Complexity Δ
#javascript	53.22% <ø> (ø)	0 <ø> (ø)	⬇️
#phpunit	65.15% <100%> (ø)	19247 <0> (ø)	⬇️

Impacted Files	Coverage Δ	Complexity Δ
apps/files_sharing/lib/API/Share20OCS.php	93.48% <100%> (ø)	184 <0> (ø)	⬇️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update ff75188...31b47dc. Read the comment docs.

[PVince81]

@IljaN what did you test exactly ? just the API calls or did you retest the share link dialog to see if it still detects a password presence / absence ? if not, please also test the latter

[IljaN]

@PVince81 Works as expected (see top-post)

[PVince81]

👍

[PVince81]

@IljaN please port to master

[phil-davis]

Forward port to master is PR #34726