RPC: Forbid RPC username == RPC password

Added security measure.
This commit is contained in:
Jeff Garzik 2012-11-05 01:41:53 -05:00 committed by Jeff Garzik
parent 6caffb5358
commit 7e1610d51e

View File

@ -748,7 +748,8 @@ void ThreadRPCServer2(void* parg)
printf("ThreadRPCServer started\n"); printf("ThreadRPCServer started\n");
strRPCUserColonPass = mapArgs["-rpcuser"] + ":" + mapArgs["-rpcpassword"]; strRPCUserColonPass = mapArgs["-rpcuser"] + ":" + mapArgs["-rpcpassword"];
if (mapArgs["-rpcpassword"] == "") if ((mapArgs["-rpcpassword"] == "") ||
(mapArgs["-rpcuser"] == mapArgs["-rpcpassword"]))
{ {
unsigned char rand_pwd[32]; unsigned char rand_pwd[32];
RAND_bytes(rand_pwd, 32); RAND_bytes(rand_pwd, 32);
@ -763,6 +764,7 @@ void ThreadRPCServer2(void* parg)
"rpcuser=bitcoinrpc\n" "rpcuser=bitcoinrpc\n"
"rpcpassword=%s\n" "rpcpassword=%s\n"
"(you do not need to remember this password)\n" "(you do not need to remember this password)\n"
"The username and password MUST NOT be the same.\n"
"If the file does not exist, create it with owner-readable-only file permissions.\n"), "If the file does not exist, create it with owner-readable-only file permissions.\n"),
strWhatAmI.c_str(), strWhatAmI.c_str(),
GetConfigFile().string().c_str(), GetConfigFile().string().c_str(),