Reject incorrect base64 in HTTP auth

In addition, to make sure that no call site ignores the invalid decoding status, make the pf_invalid argument mandatory.
author: Pieter Wuille <pieter@wuille.net> 2022-04-08 23:17:01 -0400
committer: MacroFake <falke.marco@gmail.com> 2022-04-27 14:12:55 +0200
commit: a4377a0843636eae0aaf698510fc6518582545db (patch)
tree: b89dfb8794880401981929fef7e1e6b211ad46e6 /src/httprpc.cpp
parent: d648b5120b2fefa9e599898bd26f05ecf4428fac (diff)
download: bitcoin-a4377a0843636eae0aaf698510fc6518582545db.tar.xz
1 files changed, 3 insertions, 1 deletions
diff --git a/src/httprpc.cpp b/src/httprpc.cpp
index 5d0b59f7cb..5d62568343 100644
--- a/src/httprpc.cpp
+++ b/src/httprpc.cpp
@@ -132,7 +132,9 @@ static bool RPCAuthorized(const std::string& strAuth, std::string& strAuthUserna
     if (strAuth.substr(0, 6) != "Basic ")
         return false;
     std::string strUserPass64 = TrimString(strAuth.substr(6));
-    std::string strUserPass = DecodeBase64(strUserPass64);
+    bool invalid;
+    std::string strUserPass = DecodeBase64(strUserPass64, &invalid);
+    if (invalid) return false;
 
     if (strUserPass.find(':') != std::string::npos)
         strAuthUsernameOut = strUserPass.substr(0, strUserPass.find(':'));
author	Pieter Wuille <pieter@wuille.net>	2022-04-08 23:17:01 -0400
committer	MacroFake <falke.marco@gmail.com>	2022-04-27 14:12:55 +0200
commit	a4377a0843636eae0aaf698510fc6518582545db (patch)
tree	b89dfb8794880401981929fef7e1e6b211ad46e6 /src/httprpc.cpp
parent	d648b5120b2fefa9e599898bd26f05ecf4428fac (diff)
download	bitcoin-a4377a0843636eae0aaf698510fc6518582545db.tar.xz