DragonX/dragonx
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 2 Wiki Activity

CVE-2018–20586 fix

Browse Source 
- https://medium.com/@lukedashjr/cve-2018-20586-disclosure-ff3e1ab9a21f
- https://github.com/bitcoin/bitcoin/pull/14618/files
This commit is contained in:
DeckerSU
2020-01-26 07:34:49 +03:00
committed by Duke Leto
parent b879f536e9
commit 3199c01328
3 changed files with 12 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
src/httpserver.cpp
View File

@@ -11,6 +11,7 @@
#include "rpc/protocol.h" // For HTTP status codes #include "rpc/protocol.h" // For HTTP status codes
#include "sync.h" #include "sync.h"
#include "ui_interface.h" #include "ui_interface.h"
#include "utilstrencodings.h"
#include <stdio.h> #include <stdio.h>
#include <stdlib.h> #include <stdlib.h>
@@ -251,21 +252,25 @@ static void http_request_cb(struct evhttp_request* req, void* arg)
{ {
std::unique_ptr<HTTPRequest> hreq(new HTTPRequest(req)); std::unique_ptr<HTTPRequest> hreq(new HTTPRequest(req));
LogPrint("http", "Received a %s request for %s from %s\n",
RequestMethodString(hreq->GetRequestMethod()), hreq->GetURI(), hreq->GetPeer().ToString());
// Early address-based allow check // Early address-based allow check
if (!ClientAllowed(hreq->GetPeer())) { if (!ClientAllowed(hreq->GetPeer())) {
LogPrint("http", "HTTP request from %s rejected: Client network is not allowed RPC access\n",
hreq->GetPeer().ToString());
hreq->WriteReply(HTTP_FORBIDDEN); hreq->WriteReply(HTTP_FORBIDDEN);
return; return;
} }
// Early reject unknown HTTP methods // Early reject unknown HTTP methods
if (hreq->GetRequestMethod() == HTTPRequest::UNKNOWN) { if (hreq->GetRequestMethod() == HTTPRequest::UNKNOWN) {
LogPrint("http", "HTTP request from %s rejected: Unknown HTTP request method\n",
hreq->GetPeer().ToString());
hreq->WriteReply(HTTP_BADMETHOD); hreq->WriteReply(HTTP_BADMETHOD);
return; return;
} }
LogPrint("http", "Received a %s request for %s from %s\n",
RequestMethodString(hreq->GetRequestMethod()), SanitizeString(hreq->GetURI(), SAFE_CHARS_URI).substr(0, 100), hreq->GetPeer().ToString());
// Find registered handler for prefix // Find registered handler for prefix
std::string strURI = hreq->GetURI(); std::string strURI = hreq->GetURI();
std::string path; std::string path;

3
src/utilstrencodings.cpp
View File

@@ -20,7 +20,8 @@ static const string CHARS_ALPHA_NUM = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNO
static const string SAFE_CHARS[] = static const string SAFE_CHARS[] =
{ {
CHARS_ALPHA_NUM + " .,;_/:?@()", // SAFE_CHARS_DEFAULT CHARS_ALPHA_NUM + " .,;_/:?@()", // SAFE_CHARS_DEFAULT
CHARS_ALPHA_NUM + " .,;_?@" // SAFE_CHARS_UA_COMMENT CHARS_ALPHA_NUM + " .,;_?@", // SAFE_CHARS_UA_COMMENT
CHARS_ALPHA_NUM + "!*'();:@&=+$,/?#[]-_.~%" // SAFE_CHARS_URI
}; };
string SanitizeString(const string& str, int rule) string SanitizeString(const string& str, int rule)

3
src/utilstrencodings.h
View File

@@ -26,7 +26,8 @@
enum SafeChars enum SafeChars
{ {
SAFE_CHARS_DEFAULT, //!< The full set of allowed chars SAFE_CHARS_DEFAULT, //!< The full set of allowed chars
SAFE_CHARS_UA_COMMENT //!< BIP-0014 subset SAFE_CHARS_UA_COMMENT, //!< BIP-0014 subset
SAFE_CHARS_URI //!< Chars allowed in URIs (RFC 3986)
}; };
std::string SanitizeFilename(const std::string& str); std::string SanitizeFilename(const std::string& str);