From e365002373f1262993ae861aaeb88c7d59be6aa2 Mon Sep 17 00:00:00 2001
From: Frank Tovar <mail@franktovar.de>
Date: Mon, 2 Feb 2026 16:57:36 +0100
Subject: [PATCH] Harden password prompt against non-secure values

---
 scripts/deploy-ftp.ps1 | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/scripts/deploy-ftp.ps1 b/scripts/deploy-ftp.ps1
index 0104a80..09980f3 100644
--- a/scripts/deploy-ftp.ps1
+++ b/scripts/deploy-ftp.ps1
@@ -51,6 +51,9 @@ function Read-PlainOrPrompt([string]$Value, [string]$Prompt, [bool]$Secure = $fa
     if ($Value) { return $Value }
     if ($Secure) {
         $secure = Read-Host -Prompt $Prompt -AsSecureString
+        if (-not ($secure -is [System.Security.SecureString])) {
+            $secure = ConvertTo-SecureString -String ([string]$secure) -AsPlainText -Force
+        }
         $ptr = [Runtime.InteropServices.Marshal]::SecureStringToBSTR($secure)
         try { return [Runtime.InteropServices.Marshal]::PtrToStringUni($ptr) }
         finally {