aboutsummaryrefslogtreecommitdiff
path: root/doc/JSON-RPC-interface.md
diff options
context:
space:
mode:
Diffstat (limited to 'doc/JSON-RPC-interface.md')
-rw-r--r--doc/JSON-RPC-interface.md26
1 files changed, 19 insertions, 7 deletions
diff --git a/doc/JSON-RPC-interface.md b/doc/JSON-RPC-interface.md
index 40d8e330e2..12807bfb86 100644
--- a/doc/JSON-RPC-interface.md
+++ b/doc/JSON-RPC-interface.md
@@ -88,13 +88,14 @@ RPC interface will be abused.
- **Secure string handling:** The RPC interface does not guarantee any
escaping of data beyond what's necessary to encode it as JSON,
although it does usually provide serialized data using a hex
- representation of the bytes. If you use RPC data in your programs or
- provide its data to other programs, you must ensure any problem
- strings are properly escaped. For example, multiple websites have
- been manipulated because they displayed decoded hex strings that
- included HTML `<script>` tags. For this reason, and other
- non-security reasons, it is recommended to display all serialized data
- in hex form only.
+ representation of the bytes. If you use RPC data in your programs or
+ provide its data to other programs, you must ensure any problem strings
+ are properly escaped. For example, the `createwallet` RPC accepts
+ arguments such as `wallet_name` which is a string and could be used
+ for a path traversal attack without application level checks. Multiple
+ websites have been manipulated because they displayed decoded hex strings
+ that included HTML `<script>` tags. For this reason, and others, it is
+ recommended to display all serialized data in hex form only.
## RPC consistency guarantees
@@ -127,3 +128,14 @@ However, the wallet may not be up-to-date with the current state of the mempool
or the state of the mempool by an RPC that returned before this RPC. For
example, a wallet transaction that was BIP-125-replaced in the mempool prior to
this RPC may not yet be reflected as such in this RPC response.
+
+## Limitations
+
+There is a known issue in the JSON-RPC interface that can cause a node to crash if
+too many http connections are being opened at the same time because the system runs
+out of available file descriptors. To prevent this from happening you might
+want to increase the number of maximum allowed file descriptors in your system
+and try to prevent opening too many connections to your JSON-RPC interface at the
+same time if this is under your control. It is hard to give general advice
+since this depends on your system but if you make several hundred requests at
+once you are definitely at risk of encountering this issue.
generated by cgit v1.2.3 (git 2.26.2) at 2024-11-03 01:08:40 +0000