rpc: Quote user supplied descriptor in error msg #23926

pull MarcoFalke wants to merge 1 commits into bitcoin:master from MarcoFalke:2112-rpcQuote changing 2 files +4 −4
  1. MarcoFalke commented at 10:38 am on December 31, 2021: member

    Follow-up to commit fa24a3df8796cbf4eeb35d950a4c848d605e5b22

    Forgotten in https://github.com/bitcoin/bitcoin/pull/23755

  2. rpc: Quote user supplied descriptor in error msg fa4c599145
  3. DrahtBot added the label Descriptors on Dec 31, 2021
  4. DrahtBot added the label RPC/REST/ZMQ on Dec 31, 2021
  5. hebasto approved
  6. hebasto commented at 12:21 pm on December 31, 2021: member
    ACK fa4c599145843b0d3cf998d661281a39bc438d95, tested locally.
  7. unknown approved
  8. unknown commented at 12:37 pm on December 31, 2021: none

    tACK https://github.com/bitcoin/bitcoin/pull/23926/commits/fa4c599145843b0d3cf998d661281a39bc438d95

    I missed #23755 , there could have been a few downsides in quoting user supplied input without sanitization. However, I could not find any issues in my tests so I think its okay to quote user input.

    Steps that I followed to test:

    1. I could not find any option in GUI that throws this error to confirm nothing like https://github.com/bitcoin-core/gui/pull/280 would happen.

    2. It tried entering random strings in getdescriptorinfo, this did not generate any logs in debug.log so there won’t any issues like CVE-2018–20586

    0bitcoin-cli getdescriptorinfo "You became a vitim of ABC Ransomware. Please follow the steps shared here: https://attacker.domain/info'. 'Encrypted string"

    0error code: -5
1error message:
2'You became a vitim of ABC Ransomware. Please follow the steps shared here: https://attacker.domain/info'. 'Encrypted string' is not a valid descriptor function
    1. Tried fuzzing with a few wordlists and found nothing interesting.
  9. MarcoFalke commented at 1:43 pm on December 31, 2021: member
    Going to merge this, to be able to reboot the fuzzing
  10. MarcoFalke merged this on Dec 31, 2021
  11. MarcoFalke closed this on Dec 31, 2021
  12. MarcoFalke deleted the branch on Dec 31, 2021
  13. sidhujag referenced this in commit 43040aabbb on Dec 31, 2021
  14. DrahtBot locked this on Dec 31, 2022


MarcoFalke hebasto

Labels
RPC/REST/ZMQ Descriptors

github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2024-11-21 09:12 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me