SECURITY: API: Don't log "sensitive" parameters

[lhc/web/wiklou.git] / includes / api / ApiCheckToken.php

diff --git a/includes/api/ApiCheckToken.php b/includes/api/ApiCheckToken.php
index dd88b5f..480915e 100644 (file)
--- a/includes/api/ApiCheckToken.php
+++ b/includes/api/ApiCheckToken.php
@@ -43,9 +43,7 @@ class ApiCheckToken extends ApiBase {
                );
 
                if ( substr( $token, -strlen( urldecode( Token::SUFFIX ) ) ) === urldecode( Token::SUFFIX ) ) {
-                       $this->setWarning(
-                               "Check that symbols such as \"+\" in the token are properly percent-encoded in the URL."
-                       );
+                       $this->addWarning( 'apiwarn-checktoken-percentencoding' );
                }
 
                if ( $tokenObj->match( $token, $maxage ) ) {
@@ -75,6 +73,7 @@ class ApiCheckToken extends ApiBase {
                        'token' => [
                                ApiBase::PARAM_TYPE => 'string',
                                ApiBase::PARAM_REQUIRED => true,
+                               ApiBase::PARAM_SENSITIVE => true,
                        ],
                        'maxtokenage' => [
                                ApiBase::PARAM_TYPE => 'integer',