Browse Source

[RPC] pass HTTP basic authentication username to the JSONRequest object

0.14
Jonas Schnelli 8 years ago
parent
commit
e7156ad61b
No known key found for this signature in database
GPG Key ID: 29D4BCB6416F53EC
  1. 11
      src/httprpc.cpp
  2. 1
      src/rest.cpp
  3. 3
      src/rpc/server.h

11
src/httprpc.cpp

@ -127,7 +127,7 @@ static bool multiUserAuthorized(std::string strUserPass)
return false; return false;
} }
static bool RPCAuthorized(const std::string& strAuth) static bool RPCAuthorized(const std::string& strAuth, std::string& strAuthUsernameOut)
{ {
if (strRPCUserColonPass.empty()) // Belt-and-suspenders measure if InitRPCAuthentication was not called if (strRPCUserColonPass.empty()) // Belt-and-suspenders measure if InitRPCAuthentication was not called
return false; return false;
@ -136,7 +136,10 @@ static bool RPCAuthorized(const std::string& strAuth)
std::string strUserPass64 = strAuth.substr(6); std::string strUserPass64 = strAuth.substr(6);
boost::trim(strUserPass64); boost::trim(strUserPass64);
std::string strUserPass = DecodeBase64(strUserPass64); std::string strUserPass = DecodeBase64(strUserPass64);
if (strUserPass.find(":") != std::string::npos)
strAuthUsernameOut = strUserPass.substr(0, strUserPass.find(":"));
//Check if authorized under single-user field //Check if authorized under single-user field
if (TimingResistantEqual(strUserPass, strRPCUserColonPass)) { if (TimingResistantEqual(strUserPass, strRPCUserColonPass)) {
return true; return true;
@ -159,7 +162,8 @@ static bool HTTPReq_JSONRPC(HTTPRequest* req, const std::string &)
return false; return false;
} }
if (!RPCAuthorized(authHeader.second)) { JSONRPCRequest jreq;
if (!RPCAuthorized(authHeader.second, jreq.authUser)) {
LogPrintf("ThreadRPCServer incorrect password attempt from %s\n", req->GetPeer().ToString()); LogPrintf("ThreadRPCServer incorrect password attempt from %s\n", req->GetPeer().ToString());
/* Deter brute-forcing /* Deter brute-forcing
@ -172,7 +176,6 @@ static bool HTTPReq_JSONRPC(HTTPRequest* req, const std::string &)
return false; return false;
} }
JSONRPCRequest jreq;
try { try {
// Parse request // Parse request
UniValue valRequest; UniValue valRequest;

1
src/rest.cpp

@ -286,6 +286,7 @@ static bool rest_chaininfo(HTTPRequest* req, const std::string& strURIPart)
switch (rf) { switch (rf) {
case RF_JSON: { case RF_JSON: {
JSONRPCRequest jsonRequest; JSONRPCRequest jsonRequest;
jsonRequest.params = UniValue(UniValue::VARR);
UniValue chainInfoObject = getblockchaininfo(jsonRequest); UniValue chainInfoObject = getblockchaininfo(jsonRequest);
string strJSON = chainInfoObject.write() + "\n"; string strJSON = chainInfoObject.write() + "\n";
req->WriteHeader("Content-Type", "application/json"); req->WriteHeader("Content-Type", "application/json");

3
src/rpc/server.h

@ -49,8 +49,9 @@ public:
UniValue params; UniValue params;
bool fHelp; bool fHelp;
std::string URI; std::string URI;
std::string authUser;
JSONRPCRequest() { id = NullUniValue; } JSONRPCRequest() { id = NullUniValue; params = NullUniValue; fHelp = false; }
void parse(const UniValue& valRequest); void parse(const UniValue& valRequest);
}; };

Loading…
Cancel
Save