Remove possibility to send json encoded parameters to /rest/getutxos/ to avoid possible DoS scenarios (issue #6192).
The JSON output option is untouched.
[REST] remove json input for getutxos, limit to query max. 15 outpoints #6193
pull jonasschnelli wants to merge 2 commits into bitcoin:master from jonasschnelli:2015/05/rest_rm_getutxos changing 3 files +113 −97-
jonasschnelli commented at 2:06 PM on May 27, 2015: contributor
-
rest.cpp: strip whitespace 64b8027c5c
- jonasschnelli force-pushed on May 27, 2015
-
laanwj commented at 2:24 PM on May 27, 2015: member
utACK, I like the new interface
-
6e71efa9f0
[REST] remove json input for getutxos, limit to query max. 15 outpoints
Remove possibility to send json encoded parameters to `/rest/getutxos/` to avoid possible DoS scenarios. The JSON output option is untouched.
- jonasschnelli force-pushed on May 27, 2015
-
jgarzik commented at 7:40 PM on May 27, 2015: contributor
ut ACK - though I don't understand why we care about operators DoS'ing themselves... Nobody should be sending any data, json or binary, straight from remote to the REST interface without sanitizing.
-
jonasschnelli commented at 7:47 PM on May 27, 2015: contributor
I agree with @jgarzik. The nice side effect of this PR is that it harmonize the input scheme (avoid raw http post data and use
/rest/<command>/<parameter:1>/<parameter:n>.jsoneverywhere). And JSON as input format was a bad decision anyways (as output format it's totally fine IMO). -
jonasschnelli commented at 6:59 AM on May 28, 2015: contributor
- laanwj added the label REST on May 29, 2015
-
laanwj commented at 11:04 AM on May 29, 2015: member
avoid raw http post data and use /rest/<command>/parameter:1/parameter:n.json everywhere
Exactly. Providing parameters in the URI is what makes this interface more elegant, for simple queries like this.
- laanwj merged this on Jun 1, 2015
- laanwj closed this on Jun 1, 2015
- laanwj referenced this in commit 42746b0476 on Jun 1, 2015
- MarcoFalke locked this on Sep 8, 2021
