doc: Update 'Secure string handling' #20741

pull ghost wants to merge 1 commits into bitcoin:master from changing 1 files +8 −7
  1. ghost commented at 1:28 AM on December 22, 2020: none
    • Add information about possible path traversal attack
    • wallet_name (string): The name for the new wallet. If this is a 'path', the wallet will be created at the 'path' location.

    Fixes #20128 (Not really fixing it but workaround)

    This PR is an alternative to #20393

  2. fanquake added the label Docs on Dec 22, 2020
  3. RiccardoMasutti approved
  4. RiccardoMasutti commented at 12:13 PM on December 24, 2020: contributor

    ACK 578315a

  5. benthecarman commented at 10:57 PM on December 24, 2020: contributor

    ACK 578315a

  6. michaelfolkson commented at 12:34 PM on December 28, 2020: contributor

    I'm not entirely sure what "validating or securely using RPC calls" is referring to. What do you mean by "validating RPC calls" here? And how would one "insecurely" (opposite of securely) use a RPC in this context?

    Do you mean it is advised not to reimplement RPCs when building a wallet and to use the ones in Core?

    Also a nit: "For example," (what it was originally) is better than "Example"

  7. ghost commented at 1:11 PM on December 28, 2020: none

    I'm not entirely sure what "validating or securely using RPC calls" is referring to. What do you mean by "validating RPC calls" here?

    Validating "string" input as it is mentioned in "secure string handling" section

    And how would one "insecurely" (opposite of securely) use a RPC in this context?

    I can share POC if others are okay with it being shared here

    Do you mean it is advised not to reimplement RPCs when building a wallet and to use the ones in Core?

    No. I just mean implement them in a way that attacker can't exploit your website by using path traversal.

  8. michaelfolkson commented at 1:37 PM on December 28, 2020: contributor

    Validating "string" input as it is mentioned in "secure string handling" section

    So you are not suggesting anything in addition to what is already in the "Secure string handling" section. Validating what is already in the "Secure string handling" section.

    No. I just mean implement them in a way that attacker can't exploit your website by using path traversal.

    A suggestion for changes to Bitcoin Core RPCs shouldn't go into docs. They should be discussed in an Issue/PR on their merits which presumably is what is happening in #20128. There appears to be confusion though on the exact change(s) you are suggesting there.

    I can share POC if others are okay with it being shared here

    I'm not sure this is the best place. Feel free to post on IRC and if it has merits I am sure someone will discuss it with you privately.

  9. michaelfolkson commented at 1:56 PM on December 28, 2020: contributor

    As far as I can understand @prayank23 you want to impose additional restrictions on the characters allowed in the wallet name which is being discussed in this PR #20393. That is open and currently in draft status. That appears to have some merit and people are engaging with it.

    I don't see the motivation for changing the docs at this stage. If a PR based on #20393 is merged then maybe additional guidance can be considered for the docs (for whatever restrictions are not merged). But until then this particular doc PR is a Concept NACK from me.

  10. ghost commented at 2:15 PM on December 28, 2020: none

    So you are not suggesting anything in addition to what is already in the "Secure string handling" section. Validating what is already in the "Secure string handling" section.

    I have added one example that I found while testing things related to #20080 (comment)

    A suggestion for changes to Bitcoin Core RPCs shouldn't go into docs

    This is not a change to RPC

    They should be discussed in an Issue/PR on their merits which presumably is what is happening in #20128. There appears to be confusion though on the exact change(s) you are suggesting there.

    All the confusion and questions have been answered already including the earlier PR. But the solution suggested in earlier is not the best thing to do because it can break few things in lot of projects unnecessarily. And it can be managed better by just mentioning in docs.

    As far as I can understand @prayank23 you want to impose additional restrictions on the characters allowed in the wallet name which is being discussed in this PR #20393. That is open and currently in draft status. That appears to have some merit and people are engaging with it.

    Those restrictions was a suggested solution which isn't the best approach to solve this problem IMO. People who are engaging never really tested it so they might find lot of issues with it once they test it on different platforms and projects.

    I don't see the motivation for changing the docs at this stage. If a PR based on #20393 is merged then maybe additional guidance can be considered for the docs (for whatever restrictions are not merged). But until then this particular doc PR is a Concept NACK from me.

    Thanks for your review and contribution

  11. michaelfolkson commented at 2:21 PM on December 28, 2020: contributor

    So you will be closing #20393? You don't think there should be any additional restrictions on the wallet name? Please add a comment to that PR and close it if that is the case.

    Instead you want in this doc PR to warn application developers that the Core RPC does not impose these restrictions on the wallet name and hence application developers should be careful to impose application level checks on the wallet names that their users use? Is that correct?

  12. ghost commented at 2:25 PM on December 28, 2020: none

    So you will be closing #20393? You don't think there should be any additional restrictions on the wallet name? Please add a comment to that PR and close it if that is the case.

    Yes if this gets merged other will be closed. If anyone interested to find a better solution in future can create new PR.

    Instead you want in this doc PR to warn application developers that the Core RPC does not impose these restrictions on the wallet name and hence application developers should be careful to impose application level checks on the wallet names that their users use? Is that correct?

    Yes. Correct.

  13. in doc/JSON-RPC-interface.md:93 in 578315a369 outdated 
      89 | @@ -90,11 +90,14 @@ RPC interface will be abused.
  90 |    although it does usually provide serialized data using a hex
  91 |    representation of the bytes.  If you use RPC data in your programs or
  92 |    provide its data to other programs, you must ensure any problem
  93 | -  strings are properly escaped.  For example, multiple websites have
  94 | +  strings are properly escaped.  Example: multiple websites have
    michaelfolkson commented at 2:59 PM on December 28, 2020:

    My alternative suggestion would be:

    If you use RPC data in your programs or provide its data to other programs, you must ensure any problem strings are properly escaped. For example, the createwallet RPC accepts arguments such as wallet_name which is a string and could be used for a path traversal attack without application level checks. Multiple websites have been manipulated because they displayed decoded hex strings that included HTML <script> tags. For this reason, and others, it is recommended to display all serialized data in hex form only.

  14. michaelfolkson commented at 4:06 PM on December 28, 2020: contributor

    Sorry to be a pain but you'll need to squash your commits :)

    ACK from me otherwise

  15. Update 'Secure string handling'
    Add information about possible path traversal attack with example
    7117d7503f
  16. RiccardoMasutti approved
  18. michaelfolkson commented at 7:00 PM on December 29, 2020: contributor

    ACK 7117d7503f39f06b74c84777ec4db5d456a8086f

    Please close #20393 and #20128 either now or when this is merged if there is nothing further to discuss on them.

  19. benthecarman approved
  20. benthecarman commented at 6:24 PM on December 30, 2020: contributor

    ACK 7117d7503f39f06b74c84777ec4db5d456a8086f

  21. luke-jr approved
  22. luke-jr commented at 1:12 AM on January 3, 2021: member

    ACK

  23. laanwj merged this on Jan 9, 2021
  24. laanwj closed this on Jan 9, 2021
  25. sidhujag referenced this in commit 35842bbc32 on Jan 9, 2021
  26. PastaPastaPasta referenced this in commit 01188696b4 on Jun 27, 2021
  27. PastaPastaPasta referenced this in commit 2704e4185d on Jun 28, 2021
  28. PastaPastaPasta referenced this in commit c6864e2502 on Jun 29, 2021
  29. PastaPastaPasta referenced this in commit 88c5b5f7bd on Jul 1, 2021
  30. PastaPastaPasta referenced this in commit 0f62ac0abd on Jul 1, 2021
  31. PastaPastaPasta referenced this in commit a6643f4627 on Sep 17, 2021
  32. PastaPastaPasta referenced this in commit 66d6e52d13 on Sep 19, 2021
  33. thelazier referenced this in commit 108022ba62 on Sep 25, 2021
  34. DrahtBot locked this on Aug 16, 2022
Contributors
ghostRiccardoMasuttibenthecarmanmichaelfolksonluke-jr
Labels
Docs
Linked (view graph)
#20128 Validate user input and keep path in a separate argument for importwallet, createwallet and dumpwallet#20393 error if invalid chars in wallet name#21510 Special characters in `wallet_name`
github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2026-04-13 15:14 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me