From 95a674e238eaf2685b85709ec233f6241abbc548 Mon Sep 17 00:00:00 2001
From: Max <max@nextcloud.com>
Date: Wed, 1 Mar 2023 13:03:47 +0100
Subject: [PATCH] fix: treat text app session parameters as sensitive values

* `PublicSessionController create` receives a share token.
* The others receive the parameters for a text session:
  `document_id`, `session_id`, `session_token`.
  Even though these are relatively short lived
  they could be used to retrieve content from the document when leaked.

Signed-off-by: Max <max@nextcloud.com>
---
 lib/private/Log/ExceptionSerializer.php | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/lib/private/Log/ExceptionSerializer.php b/lib/private/Log/ExceptionSerializer.php
index 5f806be0ae5bb..78843de7206e7 100644
--- a/lib/private/Log/ExceptionSerializer.php
+++ b/lib/private/Log/ExceptionSerializer.php
@@ -100,6 +100,16 @@ class ExceptionSerializer {
 
 		// Preview providers, don't log big data strings
 		'imagecreatefromstring',
+
+		// text: PublicSessionController, SessionController and ApiService
+		'create',
+		'close',
+		'push',
+		'sync',
+		'updateSession',
+		'mention',
+		'loginSessionUser',
+
 	];
 
 	/** @var SystemConfig */