Reject invalid rpcauth formats

1 files changed, 7 insertions, 8 deletions

diff --git a/src/httprpc.cpp b/src/httprpc.cpp
index 93d9acf5da..af27ff3506 100644
--- a/src/httprpc.cpp
+++ b/src/httprpc.cpp
@@ -4,7 +4,6 @@
 
 #include <httprpc.h>
 
-#include <chainparams.h>
 #include <crypto/hmac_sha256.h>
 #include <httpserver.h>
 #include <rpc/protocol.h>
@@ -12,16 +11,15 @@
 #include <util/strencodings.h>
 #include <util/string.h>
 #include <util/system.h>
-#include <util/translation.h>
 #include <walletinitinterface.h>
 
 #include <algorithm>
 #include <iterator>
 #include <map>
 #include <memory>
-#include <stdio.h>
 #include <set>
 #include <string>
+#include <vector>
 
 #include <boost/algorithm/string.hpp>
 
@@ -254,13 +252,14 @@ static bool InitRPCAuthentication()
         LogPrintf("Config options rpcuser and rpcpassword will soon be deprecated. Locally-run instances may remove rpcuser to use cookie-based auth, or may be replaced with rpcauth. Please see share/rpcauth for rpcauth auth generation.\n");
         strRPCUserColonPass = gArgs.GetArg("-rpcuser", "") + ":" + gArgs.GetArg("-rpcpassword", "");
     }
-    if (gArgs.GetArg("-rpcauth","") != "")
-    {
+    if (gArgs.GetArg("-rpcauth", "") != "") {
         LogPrintf("Using rpcauth authentication.\n");
         for (const std::string& rpcauth : gArgs.GetArgs("-rpcauth")) {
-            std::vector<std::string> fields;
-            boost::split(fields, rpcauth, boost::is_any_of(":$"));
-            if (fields.size() == 3) {
+            std::vector<std::string> fields{SplitString(rpcauth, ':')};
+            const std::vector<std::string> salt_hmac{SplitString(fields.back(), '$')};
+            if (fields.size() == 2 && salt_hmac.size() == 2) {
+                fields.pop_back();
+                fields.insert(fields.end(), salt_hmac.begin(), salt_hmac.end());
                 g_rpcauth.push_back(fields);
             } else {
                 LogPrintf("Invalid -rpcauth argument.\n");