From 30fede216c7cb7b95e5db3d26cf338b88ad62b61 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Wed, 6 May 2020 04:03:07 +0200
Subject: [PATCH] Fix Add '_pw' var as var sensibles.

---
 htdocs/api/class/api_setup.class.php           | 2 +-
 htdocs/core/class/commondocgenerator.class.php | 2 +-
 htdocs/core/lib/functions.lib.php              | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/htdocs/api/class/api_setup.class.php b/htdocs/api/class/api_setup.class.php
index ec7a6b89596..fd6432b553f 100644
--- a/htdocs/api/class/api_setup.class.php
+++ b/htdocs/api/class/api_setup.class.php
@@ -1429,7 +1429,7 @@ class Setup extends DolibarrApi
     	if (!preg_match('/^[a-zA-Z0-9_]+$/', $constantname) || !isset($conf->global->$constantname)) {
     		throw new RestException(500, 'Error Bad or unknown value for constantname');
     	}
-    	if (preg_match('/(_pass|password|secret|_key|key$)/i', $constantname)) {
+    	if (preg_match('/(_pass|_pw|password|secret|_key|key$)/i', $constantname)) {
     		throw new RestException(403, 'Forbidden');
     	}
 
diff --git a/htdocs/core/class/commondocgenerator.class.php b/htdocs/core/class/commondocgenerator.class.php
index 1f5ef0a5a9e..df80aab7a1f 100644
--- a/htdocs/core/class/commondocgenerator.class.php
+++ b/htdocs/core/class/commondocgenerator.class.php
@@ -325,7 +325,7 @@ abstract class CommonDocGenerator
 
     	foreach ($conf->global as $key => $val)
     	{
-    		if (preg_match('/(_pass|password|secret|_key|key$)/i', $key)) $newval = '*****forbidden*****';
+    		if (preg_match('/(_pass|_pw|password|secret|_key|key$)/i', $key)) $newval = '*****forbidden*****';
     		else $newval = $val;
     		$array_other['__['.$key.']__'] = $newval;
     	}
diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php
index f456ec311ac..28a44562b28 100644
--- a/htdocs/core/lib/functions.lib.php
+++ b/htdocs/core/lib/functions.lib.php
@@ -6523,7 +6523,7 @@ function make_substitutions($text, $substitutionarray, $outputlangs = null)
 		if (dol_textishtml($text, 1)) $msgishtml = 1;
 
 		$keyfound = $reg[1];
-		if (preg_match('/(_pass|password|secret|_key|key$)/i', $keyfound)) $newval = '*****forbidden*****';
+		if (preg_match('/(_pass|_pw|password|secret|_key|key$)/i', $keyfound)) $newval = '*****forbidden*****';
 		else $newval = empty($conf->global->$keyfound) ? '' : $conf->global->$keyfound;
 		$text = preg_replace('/__\['.preg_quote($keyfound, '/').'\]__/', $msgishtml ?dol_htmlentitiesbr($newval) : $newval, $text);
 	}