mirror of
https://github.com/dashpay/dash.git
synced 2024-12-25 12:02:48 +01:00
Merge #20741: doc: Update 'Secure string handling'
7117d7503f39f06b74c84777ec4db5d456a8086f Update 'Secure string handling' (Prayank)
Pull request description:
- Add information about possible path traversal attack
- [wallet_name](https://bitcoincore.org/en/doc/0.20.0/rpc/wallet/createwallet/) (string): _The name for the new wallet. If this is a 'path', the wallet will be created at the 'path' location._
Fixes https://github.com/bitcoin/bitcoin/issues/20128 (Not really fixing it but workaround)
This PR is an alternative to https://github.com/bitcoin/bitcoin/pull/20393
ACKs for top commit:
michaelfolkson:
ACK 7117d7503f39f06b74c84777ec4db5d456a8086f
RiccardoMasutti:
ACK 7117d7503f
benthecarman:
ACK 7117d7503f39f06b74c84777ec4db5d456a8086f
Tree-SHA512: 0d6c4f8db5feba848bbb583e87a99e6c4b655deaa2b566164e2632acc1aabf470d4626d2dc4b82c4997effc30d9b474d860d0e0d3e896648c5cc9bfdb623da6d
This commit is contained in:
parent
f01f7603ce
commit
66d6e52d13
@ -89,12 +89,13 @@ RPC interface will be abused.
|
|||||||
escaping of data beyond what's necessary to encode it as JSON,
|
escaping of data beyond what's necessary to encode it as JSON,
|
||||||
although it does usually provide serialized data using a hex
|
although it does usually provide serialized data using a hex
|
||||||
representation of the bytes. If you use RPC data in your programs or
|
representation of the bytes. If you use RPC data in your programs or
|
||||||
provide its data to other programs, you must ensure any problem
|
provide its data to other programs, you must ensure any problem strings
|
||||||
strings are properly escaped. For example, multiple websites have
|
are properly escaped. For example, the `createwallet` RPC accepts
|
||||||
been manipulated because they displayed decoded hex strings that
|
arguments such as `wallet_name` which is a string and could be used
|
||||||
included HTML `<script>` tags. For this reason, and other
|
for a path traversal attack without application level checks. Multiple
|
||||||
non-security reasons, it is recommended to display all serialized data
|
websites have been manipulated because they displayed decoded hex strings
|
||||||
in hex form only.
|
that included HTML `<script>` tags. For this reason, and others, it is
|
||||||
|
recommended to display all serialized data in hex form only.
|
||||||
|
|
||||||
## RPC consistency guarantees
|
## RPC consistency guarantees
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user