From a6f997ddaed4ce9e179761989bbe304ed4176cb4 Mon Sep 17 00:00:00 2001
From: Vincent Petry <pvince81@owncloud.com>
Date: Wed, 10 Feb 2016 13:38:38 +0100
Subject: [PATCH] Remove path from versions response

The path attribute contains the path relative to the owner's home
folder, not the one from the recipient, which is useless for the client
and needlessly discloses the owner's original path.

The requested already has access to the full path of the file, so no
need to add it to the response.
---
 apps/files_versions/ajax/getVersions.php | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/apps/files_versions/ajax/getVersions.php b/apps/files_versions/ajax/getVersions.php
index 1953a55d13..7d704c1461 100644
--- a/apps/files_versions/ajax/getVersions.php
+++ b/apps/files_versions/ajax/getVersions.php
@@ -41,6 +41,11 @@ if( $versions ) {
 
 	$versions = array_slice($versions, $start, $count);
 
+	// remove owner path from request to not disclose it to the recipient
+	foreach ($versions as $version) {
+		unset($version['path']);
+	}
+
 	\OCP\JSON::success(array('data' => array('versions' => $versions, 'endReached' => $endReached)));
 
 } else {