From d7b707626a59be15520dd2179a84285c56d309c7 Mon Sep 17 00:00:00 2001
From: Thomas Lamprecht <t.lamprecht@proxmox.com>
Date: Fri, 29 Jun 2018 13:16:10 +0200
Subject: [PATCH] storage add: always extract password from parameters

as else we write it to /etc/pve/storage.cfg which is readable by
www-data, a not really private group...

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
---
 PVE/API2/Storage/Config.pm | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/PVE/API2/Storage/Config.pm b/PVE/API2/Storage/Config.pm
index 49cf3c8..95ca9b8 100755
--- a/PVE/API2/Storage/Config.pm
+++ b/PVE/API2/Storage/Config.pm
@@ -133,8 +133,15 @@ __PACKAGE__->register_method ({
 	# fix me in section config create never need an empty entity.
 	delete $param->{nodes} if !$param->{nodes};
 
-	my $password = extract_param($param, 'password')
-	    if $type eq 'cifs' && $param->{username};
+	my $password;
+	# always extract pw, else it gets written to the www-data readable scfg
+	if (my $tmp_pw = extract_param($param, 'password')) {
+	    if ($type eq 'cifs' && $param->{username}) {
+		$password = $tmp_pw;
+	    } else {
+		warn "ignore password parameter\n";
+	    }
+	}
 
 	if ($param->{portal}) {
 	    $param->{portal} = PVE::Storage::resolv_portal($param->{portal});
-- 
2.39.2