phantom/bitcoin
1
0
Fork 0
mirror of https://github.com/bitcoin/bitcoin.git synced 2025-04-29 14:59:39 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

rest: Reject truncated hex txid early in getutxos parsing

Browse source
This commit is contained in:
MarcoFalke 2024-07-19 08:52:21 +02:00
parent fab6ddbee6
commit fa90777245
No known key found for this signature in database
2 changed files with 5 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
src/rest.cpp
View file

@ -792,13 +792,14 @@ static bool rest_getutxos(const std::any& context, HTTPRequest* req, const std::
if (txid_out.size() != 2) { if (txid_out.size() != 2) {
return RESTERR(req, HTTP_BAD_REQUEST, "Parse error"); return RESTERR(req, HTTP_BAD_REQUEST, "Parse error");
} }
auto txid{Txid::FromHex(txid_out.at(0))};
auto output{ToIntegral<uint32_t>(txid_out.at(1))}; auto output{ToIntegral<uint32_t>(txid_out.at(1))};
if (!output || !IsHex(txid_out.at(0))) { if (!txid || !output) {
return RESTERR(req, HTTP_BAD_REQUEST, "Parse error"); return RESTERR(req, HTTP_BAD_REQUEST, "Parse error");
} }
vOutPoints.emplace_back(TxidFromString(txid_out.at(0)), *output); vOutPoints.emplace_back(*txid, *output);
} }
if (vOutPoints.size() > 0) if (vOutPoints.size() > 0)

2
test/functional/interface_rest.py
View file

@ -208,6 +208,8 @@ class RESTTest (BitcoinTestFramework):
self.test_rest_request(f"/getutxos/{spending[0]}_+1", ret_type=RetType.OBJ, status=400) self.test_rest_request(f"/getutxos/{spending[0]}_+1", ret_type=RetType.OBJ, status=400)
self.test_rest_request(f"/getutxos/{spending[0]}-+1", ret_type=RetType.OBJ, status=400) self.test_rest_request(f"/getutxos/{spending[0]}-+1", ret_type=RetType.OBJ, status=400)
self.test_rest_request(f"/getutxos/{spending[0]}--1", ret_type=RetType.OBJ, status=400) self.test_rest_request(f"/getutxos/{spending[0]}--1", ret_type=RetType.OBJ, status=400)
self.test_rest_request(f"/getutxos/{spending[0]}aa-1234", ret_type=RetType.OBJ, status=400)
self.test_rest_request(f"/getutxos/aa-1234", ret_type=RetType.OBJ, status=400)
# Test limits # Test limits
long_uri = '/'.join([f"{txid}-{n_}" for n_ in range(20)]) long_uri = '/'.join([f"{txid}-{n_}" for n_ in range(20)])