From 0c8f4c4872ddb264eeb1de253a3196e094ebf035 Mon Sep 17 00:00:00 2001
From: ralf <rb@egroupware.org>
Date: Tue, 6 Aug 2024 14:00:55 +0200
Subject: [PATCH] do NOT send URL to client-side, it can contain passwords

---
 filemanager/inc/class.filemanager_ui.inc.php | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/filemanager/inc/class.filemanager_ui.inc.php b/filemanager/inc/class.filemanager_ui.inc.php
index f169e5fdf3..d718745cf9 100644
--- a/filemanager/inc/class.filemanager_ui.inc.php
+++ b/filemanager/inc/class.filemanager_ui.inc.php
@@ -1104,6 +1104,9 @@ class filemanager_ui
 			{
 				$row[$date_field] = Api\DateTime::server2user($row[$date_field]);
 			}
+			// do NOT send URL to client-side, it can contain passwords
+			unset($row['url']);
+
 			$rows[++$n] = $row;
 			$path2n[$path] = $n;
 		}
@@ -1234,6 +1237,8 @@ class filemanager_ui
 			else
 			{
 				$content = $stat;
+				// do NOT send URL to client-side, it can contain passwords
+				unset($content['url']);
 				$content['name'] = $content['itempicker_merge']['name'] = Vfs::basename($path);
 				$content['dir'] = $content['itempicker_merge']['dir'] = ($dir = Vfs::dirname($path)) ? Vfs::decodePath($dir) : '';
 				$content['path'] = $path;