Exit and show error if unrecognized command line args are present #742

pull john-moffett wants to merge 1 commits into bitcoin-core:master from john-moffett:2023_06_ExitOnLooseArgument changing 2 files +30 −0
  1. john-moffett commented at 4:37 pm on June 29, 2023: contributor

    Fixes #741

    Starting bitcoin-qt with non-hyphen ("-") arguments causes it to silently ignore any later valid options. For instance, invoking bitcoin-qt -server=1 foo -regtest on a fresh install will run mainnet instead of regtest.

    This change makes the client exit with an error message if any such “loose” arguments are encountered. This mirrors how bitcoind handles it:

    https://github.com/bitcoin/bitcoin/blob/c6287faae4c0e705a9258a340dfcf548906f12af/src/bitcoind.cpp#L127-L132

    However, BIP-21 bitcoin: payment URIs are still allowed, but only if they’re not followed by any additional options.

  2. DrahtBot commented at 4:37 pm on June 29, 2023: contributor

    The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.

    Reviews

    See the guideline for information on the review process.

    Type Reviewers
    ACK hernanmarino, pablomartin4btc, maflcko, hebasto

    If your review is incorrectly listed, please react with 👎 to this comment and the bot will ignore it on the next update.

  3. maflcko commented at 7:16 pm on June 29, 2023: contributor
    I always wondered why the code wasn’t the same. Was this needed for payment requests, when they were linked to be opened by the gui application?
  4. john-moffett commented at 8:27 pm on June 29, 2023: contributor

    I’m not entirely sure why they weren’t the same. In the beginning, bitcoind would handle RPC commands. Then QT got special-cased so that you couldn’t do that for bitcoin-qt – though it wouldn’t give any errors. It would just silently ignore the subsequent options.

    Then the argument-handling code split entirely here. Now bitcoind and bitcoin-qt mostly did their own thing.

    Subsequently, the ability to call RPC methods from bitcoind’s command line was removed, and “loose” (non-hyphen) arguments would result in errors.

    I can’t see any good reason for “loose” arguments to remain in bitcoin-qt.

    The “ignored options” issue was actually first raised here. The fix didn’t address the specific issue exactly, as it just caught unrecognized options (ie - arguments with a hyphen). But by then, as I mentioned, the “loose” argument problem had already been fixed in bitcoind.

  5. achow101 commented at 8:45 pm on June 29, 2023: member
    I think this is needed to handle BIP 21 URIs (not to be confused with the now removed BIP 70 payment protocol). The “loose” argument is interpreted as the URI, although ignored if they could not be recognized as one. Anything that follows it is explicitly ignored to avoid argument injection, see https://achow101.com/2021/02/0.18-uri-vuln.
  6. john-moffett commented at 9:39 pm on June 29, 2023: contributor

    Ah, thanks @achow101. I think this may still be salvageable by making an exception for just those arguments.

    https://github.com/bitcoin-core/gui/blob/561915f35f4f75365c78df939b68c9062d3d3581/src/qt/paymentserver.cpp#L83

    Will revisit tomorrow.

  7. john-moffett force-pushed on Jun 30, 2023
  8. hebasto commented at 2:20 pm on July 3, 2023: member
    Is it safer and simpler to just document that a payment URi must follow all command line options? In bitcoin-qt -help?
  9. john-moffett commented at 2:41 pm on July 3, 2023: contributor

    I could modify this PR to enforce that behavior and add the documentation to bitcoin-qt -help. Right now, the PR only allows non-option arguments which must start with bitcoin: (case insensitive). It will still ignore any options after that.

    I think leaving the current master behavior and just adding documentation to reflect it would be insufficient. My worry is that a user could be fooled by something like:

    Scammer: “Can you send me some testnet coins? Start your client with bitcoin-qt select-chain -testnet. You should have the same number of testnet coins as you have on the real network. Just send me some, please.”

    It’s also just an annoyance. I spent an embarrassingly long time trying to figure out why bitcoin-qt datadir=bitcoindatadir -regtest kept opening mainnet before I realized I omitted the hyphen on datadir.

  10. gui: Show error if unrecognized command line args are present 
    Starting bitcoin-qt with non-dash ("-") arguments causes it to
silently ignore any later valid options. This change makes the
client exit with an error message if any such "loose" arguments
are encountered.

However, allow BIP-21 'bitcoin:' URIs only if no other options
follow.
    51e4dc49f5
  11. john-moffett force-pushed on Jul 3, 2023
  12. john-moffett commented at 5:08 pm on July 3, 2023: contributor
    Modified to follow @hebasto ’s idea of only allowing bitcoin: URIs if no other options follow.
  13. hebasto requested review from achow101 on Jul 4, 2023
  14. DrahtBot added the label CI failed on Aug 17, 2023
  15. DrahtBot removed the label CI failed on Aug 22, 2023
  16. DrahtBot added the label CI failed on Aug 31, 2023
  17. DrahtBot removed the label CI failed on Sep 2, 2023
  18. DrahtBot added the label CI failed on Sep 2, 2023
  19. DrahtBot removed the label CI failed on Sep 6, 2023
  20. hernanmarino approved
  21. hernanmarino commented at 9:11 pm on September 8, 2023: contributor
    tested ACK 51e4dc49f5335b5bae6c14606d1cc653a08a96b1
  22. pablomartin4btc commented at 3:51 am on September 15, 2023: contributor

    tACK 51e4dc49f5335b5bae6c14606d1cc653a08a96b1

    I like both features the error shown when invalid args are passed and the error for options that are passed following a BIP21.

    For the last one and regarding the -regtest being ignored in your original PR description, I detected a similar scenario in bitcoin-cli a few months ago (https://github.com/bitcoin/bitcoin/pull/26990 - still in progress) where [options] passed after a command that receives arguments are not detected by the ArgsManager, they are being interpreted as another arg of the last command.

    Last thing, not part of the scope of this PR, I think we could validate the BIP21 URI grammar before opening bitcoin-qt.

  23. in src/qt/bitcoin.cpp:561 in 51e4dc49f5 
    556+        }
557+#endif
558+        if (payment_server_token_seen && arg.startsWith("-")) {
559+            InitError(Untranslated(strprintf("Options ('%s') cannot follow a BIP-21 payment URI", argv[i])));
560+            QMessageBox::critical(nullptr, PACKAGE_NAME,
561+                                  // message cannot be translated because translations have not been initialized
    luke-jr commented at 6:37 pm on September 15, 2023:
    Should we just initialize them in this codepath?
  24. in src/qt/bitcoin.cpp:559 in 51e4dc49f5 
    554+            invalid_token &= false;
555+            payment_server_token_seen = true;
556+        }
557+#endif
558+        if (payment_server_token_seen && arg.startsWith("-")) {
559+            InitError(Untranslated(strprintf("Options ('%s') cannot follow a BIP-21 payment URI", argv[i])));
    luke-jr commented at 6:39 pm on September 15, 2023: 
    0            InitError(Untranslated(strprintf("Options (eg, '%s') cannot follow a URI", argv[i])));
  25. DrahtBot added the label CI failed on Oct 13, 2023
  26. DrahtBot removed the label CI failed on Oct 13, 2023
  27. maflcko commented at 10:34 am on October 20, 2023: contributor
    lgtm ACK 51e4dc49f5335b5bae6c14606d1cc653a08a96b1
  28. DrahtBot added the label CI failed on Oct 25, 2023
  29. maflcko commented at 11:11 am on October 25, 2023: contributor
    Fuzz CI failure can be ignored
  30. hebasto approved
  31. hebasto commented at 12:03 pm on October 25, 2023: member
    ACK 51e4dc49f5335b5bae6c14606d1cc653a08a96b1, I have reviewed the code and it looks OK.
  32. hebasto merged this on Oct 25, 2023
  33. hebasto closed this on Oct 25, 2023
  34. hebasto referenced this in commit 9e68a8208f on Feb 11, 2024
  35. bitcoin-core locked this on Oct 24, 2024


john-moffett DrahtBot maflcko achow101 hebasto hernanmarino pablomartin4btc luke-jr


achow101

Labels
CI failed

github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin-core/gui. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2024-10-31 23:20 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me