aboutsummaryrefslogtreecommitdiff
path: root/doc/JSON-RPC-interface.md
diff options
context:
space:
mode:
Diffstat (limited to 'doc/JSON-RPC-interface.md')
-rw-r--r--doc/JSON-RPC-interface.md15
1 files changed, 8 insertions, 7 deletions
diff --git a/doc/JSON-RPC-interface.md b/doc/JSON-RPC-interface.md
index c66e79af71..12807bfb86 100644
--- a/doc/JSON-RPC-interface.md
+++ b/doc/JSON-RPC-interface.md
@@ -88,13 +88,14 @@ RPC interface will be abused.
- **Secure string handling:** The RPC interface does not guarantee any
escaping of data beyond what's necessary to encode it as JSON,
although it does usually provide serialized data using a hex
- representation of the bytes. If you use RPC data in your programs or
- provide its data to other programs, you must ensure any problem
- strings are properly escaped. For example, multiple websites have
- been manipulated because they displayed decoded hex strings that
- included HTML `<script>` tags. For this reason, and other
- non-security reasons, it is recommended to display all serialized data
- in hex form only.
+ representation of the bytes. If you use RPC data in your programs or
+ provide its data to other programs, you must ensure any problem strings
+ are properly escaped. For example, the `createwallet` RPC accepts
+ arguments such as `wallet_name` which is a string and could be used
+ for a path traversal attack without application level checks. Multiple
+ websites have been manipulated because they displayed decoded hex strings
+ that included HTML `<script>` tags. For this reason, and others, it is
+ recommended to display all serialized data in hex form only.
## RPC consistency guarantees
generated by cgit v1.2.3 (git 2.26.2) at 2024-11-01 22:20:27 +0000