aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorWladimir J. van der Laan <laanwj@gmail.com>2014-08-19 14:40:11 +0200
committerWladimir J. van der Laan <laanwj@gmail.com>2014-08-19 14:40:34 +0200
commit01094bd01f5d999b7da698c0e655cf723afa8ebb (patch)
treeec1fb5e39cea18ed2bfac9bcd971ab4ed48196eb
parentdd2819701a1a4481ae06b24924b75d55b9feb115 (diff)
Don't reveal whether password is <20 or >20 characters in RPC
As discussed on IRC. It seems bad to base a decision to delay based on the password length, as it leaks a small amount of information.
-rw-r--r--src/rpcserver.cpp5
1 files changed, 2 insertions, 3 deletions
diff --git a/src/rpcserver.cpp b/src/rpcserver.cpp
index 3b51c91e7c..524627e2de 100644
--- a/src/rpcserver.cpp
+++ b/src/rpcserver.cpp
@@ -849,11 +849,10 @@ static bool HTTPReq_JSONRPC(AcceptedConnection *conn,
if (!HTTPAuthorized(mapHeaders))
{
LogPrintf("ThreadRPCServer incorrect password attempt from %s\n", conn->peer_address_to_string());
- /* Deter brute-forcing short passwords.
+ /* Deter brute-forcing
If this results in a DoS the user really
shouldn't have their RPC port exposed. */
- if (mapArgs["-rpcpassword"].size() < 20)
- MilliSleep(250);
+ MilliSleep(250);
conn->stream() << HTTPError(HTTP_UNAUTHORIZED, false) << std::flush;
return false;