Fixes #1497 ZCA-009 by restricting data exporting to user defined folder.
Previously the RPC interface allowed z_exportwallet, backupwallet and dumpwallet to write data to an arbitrary filename. ZCA-009 demonstrates how this is vulnerable. The resolution is to only allow data to written when the -exportdir has been configured. Also filenames are restricted to alphanumeric characters.
This commit is contained in:
@@ -30,6 +30,22 @@ string SanitizeString(const string& str)
|
||||
return strResult;
|
||||
}
|
||||
|
||||
string SanitizeFilename(const string& str)
|
||||
{
|
||||
/**
|
||||
* safeChars chosen to restrict filename, keeping it simple to avoid cross-platform issues.
|
||||
* http://stackoverflow.com/a/2306003
|
||||
*/
|
||||
static string safeChars("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890");
|
||||
string strResult;
|
||||
for (std::string::size_type i = 0; i < str.size(); i++)
|
||||
{
|
||||
if (safeChars.find(str[i]) != std::string::npos)
|
||||
strResult.push_back(str[i]);
|
||||
}
|
||||
return strResult;
|
||||
}
|
||||
|
||||
const signed char p_util_hexdigit[256] =
|
||||
{ -1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,
|
||||
-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,
|
||||
|
||||
Reference in New Issue
Block a user