diff options
author | Pieter Wuille <pieter@wuille.net> | 2022-04-08 23:17:01 -0400 |
---|---|---|
committer | MacroFake <falke.marco@gmail.com> | 2022-04-27 14:12:55 +0200 |
commit | a4377a0843636eae0aaf698510fc6518582545db (patch) | |
tree | b89dfb8794880401981929fef7e1e6b211ad46e6 /src/httprpc.cpp | |
parent | d648b5120b2fefa9e599898bd26f05ecf4428fac (diff) | |
download | bitcoin-a4377a0843636eae0aaf698510fc6518582545db.tar.xz |
Reject incorrect base64 in HTTP auth
In addition, to make sure that no call site ignores the invalid
decoding status, make the pf_invalid argument mandatory.
Diffstat (limited to 'src/httprpc.cpp')
-rw-r--r-- | src/httprpc.cpp | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/src/httprpc.cpp b/src/httprpc.cpp index 5d0b59f7cb..5d62568343 100644 --- a/src/httprpc.cpp +++ b/src/httprpc.cpp @@ -132,7 +132,9 @@ static bool RPCAuthorized(const std::string& strAuth, std::string& strAuthUserna if (strAuth.substr(0, 6) != "Basic ") return false; std::string strUserPass64 = TrimString(strAuth.substr(6)); - std::string strUserPass = DecodeBase64(strUserPass64); + bool invalid; + std::string strUserPass = DecodeBase64(strUserPass64, &invalid); + if (invalid) return false; if (strUserPass.find(':') != std::string::npos) strAuthUsernameOut = strUserPass.substr(0, strUserPass.find(':')); |