Merge #20741: doc: Update 'Secure string handling'

7117d7503f39f06b74c84777ec4db5d456a8086f Update 'Secure string handling' (Prayank)

Pull request description:

  - Add information about possible path traversal attack
  - [wallet_name](https://bitcoincore.org/en/doc/0.20.0/rpc/wallet/createwallet/) (string): _The name for the new wallet. If this is a 'path', the wallet will be created at the 'path' location._

  Fixes https://github.com/bitcoin/bitcoin/issues/20128 (Not really fixing it but workaround)

  This PR is an alternative to https://github.com/bitcoin/bitcoin/pull/20393

ACKs for top commit:
  michaelfolkson:
    ACK 7117d7503f39f06b74c84777ec4db5d456a8086f
  RiccardoMasutti:
    ACK 7117d7503f
  benthecarman:
    ACK 7117d7503f39f06b74c84777ec4db5d456a8086f

Tree-SHA512: 0d6c4f8db5feba848bbb583e87a99e6c4b655deaa2b566164e2632acc1aabf470d4626d2dc4b82c4997effc30d9b474d860d0e0d3e896648c5cc9bfdb623da6d
This commit is contained in:
Wladimir J. van der Laan 2021-01-09 09:00:08 +01:00 committed by Pasta
parent f01f7603ce
commit 66d6e52d13
No known key found for this signature in database
GPG Key ID: 52527BEDABE87984

View File

@ -89,12 +89,13 @@ RPC interface will be abused.
escaping of data beyond what's necessary to encode it as JSON, escaping of data beyond what's necessary to encode it as JSON,
although it does usually provide serialized data using a hex although it does usually provide serialized data using a hex
representation of the bytes. If you use RPC data in your programs or representation of the bytes. If you use RPC data in your programs or
provide its data to other programs, you must ensure any problem provide its data to other programs, you must ensure any problem strings
strings are properly escaped. For example, multiple websites have are properly escaped. For example, the `createwallet` RPC accepts
been manipulated because they displayed decoded hex strings that arguments such as `wallet_name` which is a string and could be used
included HTML `<script>` tags. For this reason, and other for a path traversal attack without application level checks. Multiple
non-security reasons, it is recommended to display all serialized data websites have been manipulated because they displayed decoded hex strings
in hex form only. that included HTML `<script>` tags. For this reason, and others, it is
recommended to display all serialized data in hex form only.
## RPC consistency guarantees ## RPC consistency guarantees