addpeeraddress
needs to get its port-value sanitized.
Sanitize port
in addpeeraddress()
#23679
pull
amadeuszpawlik
wants to merge
1
commits into
bitcoin:master
from
amadeuszpawlik:sanitize_port_rpc
changing
2
files
+5 −1
-
amadeuszpawlik commented at 8:55 pm on December 5, 2021: contributorIn connection to #22087, it has been pointed out that
-
DrahtBot added the label RPC/REST/ZMQ on Dec 5, 2021
-
DrahtBot added the label Upstream on Dec 5, 2021
-
DrahtBot added the label Utils/log/libs on Dec 5, 2021
-
ghost commented at 11:10 pm on December 7, 2021: none
Or should I rather validate port directly in addpeeraddress() and just ignore the -0 case?
I think it can be ignored. Tried using-0
in few other arguments for other RPC and it is considered as0
. I could not find a way to readpeers.dat
however this observation is based on usage of negative zero in other parameters.Based on reading few posts like https://softwareengineering.stackexchange.com/questions/280648/why-is-negative-zero-important it could be an issue in some cases
but not here I guess.I have no opinion on this because I couldn’t do anything interesting with@amadeuszpawlik I tried using port-0
inaddpeeraddress
-0
inaddnode
and it adds negative zero in the port, I am assuming similar thing would happen withaddpeeraddress
so:Concept ACK for this PR and maybe we need to make changes for few other RPC
-
amadeuszpawlik commented at 2:12 pm on December 12, 2021: contributor
@prayank23 good find with
addnode
(although in that particular command the port is specified in an address string, so this wouldn’t fix it). It looks like-0
is not the only case thataddnode
accepts. The moddedSplitHostPort
I propose in #22087 would definitely be nice here for port validation. I’ll go trough other RPCs and add validation for them too.My question still stands, is modifying
univalue
a valid approach for commands that currently useint
for port value, or do I ignore the-0
case and simply validate directly innet.cpp
? -
amadeuszpawlik marked this as ready for review on Feb 21, 2022
-
amadeuszpawlik marked this as a draft on Feb 21, 2022
-
DrahtBot commented at 3:27 pm on May 11, 2022: member
The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.
Conflicts
No conflicts as of last run.
-
DrahtBot added the label Needs rebase on May 13, 2022
-
in src/rpc/net.cpp:946 in 0f72ddfbe5 outdated
942@@ -943,7 +943,7 @@ static RPCHelpMan addpeeraddress() 943 } 944 945 const std::string& addr_string{request.params[0].get_str()}; 946- const uint16_t port{static_cast<uint16_t>(request.params[1].get_int())}; 947+ const uint16_t& port{request.params[1].get_uint16()};
MarcoFalke commented at 10:09 am on May 13, 2022:0 const auto port{request.params[1].getInt<uint16_t>()};
on master this is now trivial to implement in a one-line diff
amadeuszpawlik force-pushed on May 13, 2022amadeuszpawlik marked this as ready for review on May 13, 2022amadeuszpawlik marked this as a draft on May 13, 2022DrahtBot removed the label Needs rebase on May 13, 2022amadeuszpawlik force-pushed on May 14, 2022Sanitize port in `addpeeraddress()`
- Ensures port sanitization in `addpeeraddress()` - Adds test to check for invalid port values
amadeuszpawlik force-pushed on May 14, 2022amadeuszpawlik marked this as ready for review on May 14, 2022MarcoFalke removed the label RPC/REST/ZMQ on May 14, 2022MarcoFalke removed the label Upstream on May 14, 2022MarcoFalke removed the label Utils/log/libs on May 14, 2022DrahtBot added the label RPC/REST/ZMQ on May 14, 2022fanquake approvedfanquake commented at 3:38 pm on May 17, 2022: memberACK ada8358ef54aaa04c9182afe115d8046c801bddefanquake merged this on May 17, 2022fanquake closed this on May 17, 2022
sidhujag referenced this in commit ec374e7e02 on May 28, 2022DrahtBot locked this on May 17, 2023
This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2024-12-22 06:12 UTC
More mirrored repositories can be found on mirror.b10c.me