Merge pull request #4728 from laanwj/2014_08_rpcserver_password_delay

Don't reveal whether password is <20 or >20 characters in RPC
2025-01-11 15:48:05 +00:00 · 2014-08-19 13:32:40 -04:00 · 2014-08-19 13:32:40 -04:00 · 10dcbc1be0
commit 10dcbc1be0
parent fb11427e54 01094bd01f
1 changed files with 2 additions and 3 deletions
--- a/src/rpcserver.cpp
+++ b/src/rpcserver.cpp
@ -849,11 +849,10 @@ static bool HTTPReq_JSONRPC(AcceptedConnection *conn,
    if (!HTTPAuthorized(mapHeaders))
    {
        LogPrintf("ThreadRPCServer incorrect password attempt from %s\n", conn->peer_address_to_string());
-        /* Deter brute-forcing short passwords.
+        /* Deter brute-forcing
           If this results in a DoS the user really
           shouldn't have their RPC port exposed. */
-        if (mapArgs["-rpcpassword"].size() < 20)
-            MilliSleep(250);
+        MilliSleep(250);

        conn->stream() << HTTPError(HTTP_UNAUTHORIZED, false) << std::flush;
        return false;