diff options
| author | MacroFake <falke.marco@gmail.com> | 2022-04-30 13:05:30 +0200 |
|---|---|---|
| committer | MacroFake <falke.marco@gmail.com> | 2022-04-30 12:53:35 +0200 |
| commit | fa12706fc6dbaf82eca37f30afa07c37fcd44932 (patch) | |
| tree | 81bf4a4b55ee0d74562fbd0729b6300455f2bd10 | |
| parent | 5d53cf38784df9ad9ed10306bf3fba3002fd9244 (diff) | |
Reject invalid rpcauth formats
| -rw-r--r-- | src/httprpc.cpp | 15 | ||||
| -rwxr-xr-x | test/functional/rpc_users.py | 3 |
2 files changed, 10 insertions, 8 deletions
diff --git a/src/httprpc.cpp b/src/httprpc.cpp index 93d9acf5da..af27ff3506 100644 --- a/src/httprpc.cpp +++ b/src/httprpc.cpp @@ -4,7 +4,6 @@ #include <httprpc.h> -#include <chainparams.h> #include <crypto/hmac_sha256.h> #include <httpserver.h> #include <rpc/protocol.h> @@ -12,16 +11,15 @@ #include <util/strencodings.h> #include <util/string.h> #include <util/system.h> -#include <util/translation.h> #include <walletinitinterface.h> #include <algorithm> #include <iterator> #include <map> #include <memory> -#include <stdio.h> #include <set> #include <string> +#include <vector> #include <boost/algorithm/string.hpp> @@ -254,13 +252,14 @@ static bool InitRPCAuthentication() LogPrintf("Config options rpcuser and rpcpassword will soon be deprecated. Locally-run instances may remove rpcuser to use cookie-based auth, or may be replaced with rpcauth. Please see share/rpcauth for rpcauth auth generation.\n"); strRPCUserColonPass = gArgs.GetArg("-rpcuser", "") + ":" + gArgs.GetArg("-rpcpassword", ""); } - if (gArgs.GetArg("-rpcauth","") != "") - { + if (gArgs.GetArg("-rpcauth", "") != "") { LogPrintf("Using rpcauth authentication.\n"); for (const std::string& rpcauth : gArgs.GetArgs("-rpcauth")) { - std::vector<std::string> fields; - boost::split(fields, rpcauth, boost::is_any_of(":$")); - if (fields.size() == 3) { + std::vector<std::string> fields{SplitString(rpcauth, ':')}; + const std::vector<std::string> salt_hmac{SplitString(fields.back(), '$')}; + if (fields.size() == 2 && salt_hmac.size() == 2) { + fields.pop_back(); + fields.insert(fields.end(), salt_hmac.begin(), salt_hmac.end()); g_rpcauth.push_back(fields); } else { LogPrintf("Invalid -rpcauth argument.\n"); diff --git a/test/functional/rpc_users.py b/test/functional/rpc_users.py index 7cedb4336b..1a35a57802 100755 --- a/test/functional/rpc_users.py +++ b/test/functional/rpc_users.py @@ -107,6 +107,9 @@ class HTTPBasicsTest(BitcoinTestFramework): self.stop_node(0) self.nodes[0].assert_start_raises_init_error(expected_msg=init_error, extra_args=['-rpcauth=foo']) self.nodes[0].assert_start_raises_init_error(expected_msg=init_error, extra_args=['-rpcauth=foo:bar']) + self.nodes[0].assert_start_raises_init_error(expected_msg=init_error, extra_args=['-rpcauth=foo:bar:baz']) + self.nodes[0].assert_start_raises_init_error(expected_msg=init_error, extra_args=['-rpcauth=foo$bar:baz']) + self.nodes[0].assert_start_raises_init_error(expected_msg=init_error, extra_args=['-rpcauth=foo$bar$baz']) self.log.info('Check that failure to write cookie file will abort the node gracefully') cookie_file = os.path.join(get_datadir_path(self.options.tmpdir, 0), self.chain, '.cookie.tmp') |