phantom/bitcoin
1
0
Fork 0
mirror of https://github.com/bitcoin/bitcoin.git synced 2025-04-29 23:09:44 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Reject invalid rpcauth formats

Browse source
This commit is contained in:
MacroFake 2022-04-30 13:05:30 +02:00
parent 5d53cf3878
commit fa12706fc6
No known key found for this signature in database
GPG key ID: CE2B75697E69A548
2 changed files with 10 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

15
src/httprpc.cpp
View file

@ -4,7 +4,6 @@
#include <httprpc.h> #include <httprpc.h>
#include <chainparams.h>
#include <crypto/hmac_sha256.h> #include <crypto/hmac_sha256.h>
#include <httpserver.h> #include <httpserver.h>
#include <rpc/protocol.h> #include <rpc/protocol.h>
@ -12,16 +11,15 @@
#include <util/strencodings.h> #include <util/strencodings.h>
#include <util/string.h> #include <util/string.h>
#include <util/system.h> #include <util/system.h>
#include <util/translation.h>
#include <walletinitinterface.h> #include <walletinitinterface.h>
#include <algorithm> #include <algorithm>
#include <iterator> #include <iterator>
#include <map> #include <map>
#include <memory> #include <memory>
#include <stdio.h>
#include <set> #include <set>
#include <string> #include <string>
#include <vector>
#include <boost/algorithm/string.hpp> #include <boost/algorithm/string.hpp>
@ -254,13 +252,14 @@ static bool InitRPCAuthentication()
LogPrintf("Config options rpcuser and rpcpassword will soon be deprecated. Locally-run instances may remove rpcuser to use cookie-based auth, or may be replaced with rpcauth. Please see share/rpcauth for rpcauth auth generation.\n"); LogPrintf("Config options rpcuser and rpcpassword will soon be deprecated. Locally-run instances may remove rpcuser to use cookie-based auth, or may be replaced with rpcauth. Please see share/rpcauth for rpcauth auth generation.\n");
strRPCUserColonPass = gArgs.GetArg("-rpcuser", "") + ":" + gArgs.GetArg("-rpcpassword", ""); strRPCUserColonPass = gArgs.GetArg("-rpcuser", "") + ":" + gArgs.GetArg("-rpcpassword", "");
} }
if (gArgs.GetArg("-rpcauth","") != "") if (gArgs.GetArg("-rpcauth", "") != "") {
{
LogPrintf("Using rpcauth authentication.\n"); LogPrintf("Using rpcauth authentication.\n");
for (const std::string& rpcauth : gArgs.GetArgs("-rpcauth")) { for (const std::string& rpcauth : gArgs.GetArgs("-rpcauth")) {
std::vector<std::string> fields; std::vector<std::string> fields{SplitString(rpcauth, ':')};
boost::split(fields, rpcauth, boost::is_any_of(":$")); const std::vector<std::string> salt_hmac{SplitString(fields.back(), '$')};
if (fields.size() == 3) { if (fields.size() == 2 && salt_hmac.size() == 2) {
fields.pop_back();
fields.insert(fields.end(), salt_hmac.begin(), salt_hmac.end());
g_rpcauth.push_back(fields); g_rpcauth.push_back(fields);
} else { } else {
LogPrintf("Invalid -rpcauth argument.\n"); LogPrintf("Invalid -rpcauth argument.\n");

3
test/functional/rpc_users.py
View file

@ -107,6 +107,9 @@ class HTTPBasicsTest(BitcoinTestFramework):
self.stop_node(0) self.stop_node(0)
self.nodes[0].assert_start_raises_init_error(expected_msg=init_error, extra_args=['-rpcauth=foo']) self.nodes[0].assert_start_raises_init_error(expected_msg=init_error, extra_args=['-rpcauth=foo'])
self.nodes[0].assert_start_raises_init_error(expected_msg=init_error, extra_args=['-rpcauth=foo:bar']) self.nodes[0].assert_start_raises_init_error(expected_msg=init_error, extra_args=['-rpcauth=foo:bar'])
self.nodes[0].assert_start_raises_init_error(expected_msg=init_error, extra_args=['-rpcauth=foo:bar:baz'])
self.nodes[0].assert_start_raises_init_error(expected_msg=init_error, extra_args=['-rpcauth=foo$bar:baz'])
self.nodes[0].assert_start_raises_init_error(expected_msg=init_error, extra_args=['-rpcauth=foo$bar$baz'])
self.log.info('Check that failure to write cookie file will abort the node gracefully') self.log.info('Check that failure to write cookie file will abort the node gracefully')
cookie_file = os.path.join(get_datadir_path(self.options.tmpdir, 0), self.chain, '.cookie.tmp') cookie_file = os.path.join(get_datadir_path(self.options.tmpdir, 0), self.chain, '.cookie.tmp')