DragonX/hush3
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity

CVE-2018–20586 fix

Browse Source 
- https://medium.com/@lukedashjr/cve-2018-20586-disclosure-ff3e1ab9a21f
- https://github.com/bitcoin/bitcoin/pull/14618/files
This commit is contained in:
DeckerSU
2020-01-26 07:34:49 +03:00
committed by Duke Leto
parent b879f536e9
commit 3199c01328
3 changed files with 12 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
src/httpserver.cpp
View File

@@ -11,6 +11,7 @@
#include "rpc/protocol.h" // For HTTP status codes
#include "sync.h"
#include "ui_interface.h"
#include "utilstrencodings.h"
#include <stdio.h>
#include <stdlib.h>
@@ -251,21 +252,25 @@ static void http_request_cb(struct evhttp_request* req, void* arg)
{
std::unique_ptr<HTTPRequest> hreq(new HTTPRequest(req));
LogPrint("http", "Received a %s request for %s from %s\n",
RequestMethodString(hreq->GetRequestMethod()), hreq->GetURI(), hreq->GetPeer().ToString());
// Early address-based allow check
if (!ClientAllowed(hreq->GetPeer())) {
LogPrint("http", "HTTP request from %s rejected: Client network is not allowed RPC access\n",
hreq->GetPeer().ToString());
hreq->WriteReply(HTTP_FORBIDDEN);
return;
}
// Early reject unknown HTTP methods
if (hreq->GetRequestMethod() == HTTPRequest::UNKNOWN) {
LogPrint("http", "HTTP request from %s rejected: Unknown HTTP request method\n",
hreq->GetPeer().ToString());
hreq->WriteReply(HTTP_BADMETHOD);
return;
}
LogPrint("http", "Received a %s request for %s from %s\n",
RequestMethodString(hreq->GetRequestMethod()), SanitizeString(hreq->GetURI(), SAFE_CHARS_URI).substr(0, 100), hreq->GetPeer().ToString());
// Find registered handler for prefix
std::string strURI = hreq->GetURI();
std::string path;

3
src/utilstrencodings.cpp
View File

@@ -20,7 +20,8 @@ static const string CHARS_ALPHA_NUM = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNO
static const string SAFE_CHARS[] =
{
CHARS_ALPHA_NUM + " .,;_/:?@()", // SAFE_CHARS_DEFAULT
CHARS_ALPHA_NUM + " .,;_?@" // SAFE_CHARS_UA_COMMENT
CHARS_ALPHA_NUM + " .,;_?@", // SAFE_CHARS_UA_COMMENT
CHARS_ALPHA_NUM + "!*'();:@&=+$,/?#[]-_.~%" // SAFE_CHARS_URI
};
string SanitizeString(const string& str, int rule)

3
src/utilstrencodings.h
View File

@@ -26,7 +26,8 @@
enum SafeChars
{
SAFE_CHARS_DEFAULT, //!< The full set of allowed chars
SAFE_CHARS_UA_COMMENT //!< BIP-0014 subset
SAFE_CHARS_UA_COMMENT, //!< BIP-0014 subset
SAFE_CHARS_URI //!< Chars allowed in URIs (RFC 3986)
};
std::string SanitizeFilename(const std::string& str);