mirrors/bitcoin
1
0
Fork 0
mirror of https://github.com/bitcoin/bitcoin.git synced 2025-02-22 06:52:36 +01:00
Code Issues Projects Releases Wiki Activity

Merge #20741: doc: Update 'Secure string handling'

Browse source 
7117d7503f Update 'Secure string handling' (Prayank)

Pull request description:

  - Add information about possible path traversal attack
  - [wallet_name](https://bitcoincore.org/en/doc/0.20.0/rpc/wallet/createwallet/) (string): _The name for the new wallet. If this is a 'path', the wallet will be created at the 'path' location._

  Fixes https://github.com/bitcoin/bitcoin/issues/20128 (Not really fixing it but workaround)

  This PR is an alternative to https://github.com/bitcoin/bitcoin/pull/20393

ACKs for top commit:
  michaelfolkson:
    ACK 7117d7503f
  RiccardoMasutti:
    ACK 7117d7503f
  benthecarman:
    ACK 7117d7503f

Tree-SHA512: 0d6c4f8db5feba848bbb583e87a99e6c4b655deaa2b566164e2632acc1aabf470d4626d2dc4b82c4997effc30d9b474d860d0e0d3e896648c5cc9bfdb623da6d
This commit is contained in:
Wladimir J. van der Laan 2021-01-09 09:00:08 +01:00
commit 5574e48963
No known key found for this signature in database
GPG key ID: 1E4AED62986CD25D
1 changed files with 8 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

15
doc/JSON-RPC-interface.md
View file

@ -88,13 +88,14 @@ RPC interface will be abused.
- **Secure string handling:** The RPC interface does not guarantee any
escaping of data beyond what's necessary to encode it as JSON,
although it does usually provide serialized data using a hex
representation of the bytes. If you use RPC data in your programs or
provide its data to other programs, you must ensure any problem
strings are properly escaped. For example, multiple websites have
been manipulated because they displayed decoded hex strings that
included HTML `<script>` tags. For this reason, and other
non-security reasons, it is recommended to display all serialized data
in hex form only.
representation of the bytes. If you use RPC data in your programs or
provide its data to other programs, you must ensure any problem strings
are properly escaped. For example, the `createwallet` RPC accepts
arguments such as `wallet_name` which is a string and could be used
for a path traversal attack without application level checks. Multiple
websites have been manipulated because they displayed decoded hex strings
that included HTML `<script>` tags. For this reason, and others, it is
recommended to display all serialized data in hex form only.
## RPC consistency guarantees