fix: sanitize outputs

2014-06-06 07:48:08 +02:00 · 2014-06-06 07:48:08 +02:00 · 38a6747eff
parent 0673df9176
commit 38a6747eff
4 changed files with 23 additions and 23 deletions
--- a/gui/qt/main_window.py
+++ b/gui/qt/main_window.py
@ -797,10 +797,22 @@ class ElectrumWindow(QMainWindow):

        if self.gui_object.payment_request:
            outputs = self.gui_object.payment_request.outputs
-            amount = self.gui_object.payment_request.get_amount()
        else:
            outputs = self.payto_e.get_outputs()
-            amount = sum(map(lambda x:x[1], outputs))
+
+        if not outputs:
+            QMessageBox.warning(self, _('Error'), _('No outputs'), _('OK'))
+            return
+
+        for addr, x in outputs:
+            if addr is None or not bitcoin.is_address(addr):
+                QMessageBox.warning(self, _('Error'), _('Invalid Bitcoin Address'), _('OK'))
+                return
+            if type(x) is not int:
+                QMessageBox.warning(self, _('Error'), _('Invalid Amount'), _('OK'))
+                return
+
+        amount = sum(map(lambda x:x[1], outputs))

        try:
            fee = self.fee_e.get_amount()
--- a/gui/qt/paytoedit.py
+++ b/gui/qt/paytoedit.py
@ -41,6 +41,7 @@ class PayToEdit(QTextEdit):
        self.setMaximumHeight(27)
        self.c = None
        self.textChanged.connect(self.check_text)
+        self.outputs = []

    def lock_amount(self):
        self.amount_edit.setFrozen(True)
@ -88,8 +89,15 @@ class PayToEdit(QTextEdit):
                self.payto_address = self.parse_address(lines[0])
            except:
                pass
+
            if self.payto_address:
                self.unlock_amount()
+                try:
+                    amount = self.amount_edit.get_amount()
+                except:
+                    amount = None
+
+                self.outputs = [(self.payto_address, amount)]
                return

        for line in lines:
@ -115,24 +123,7 @@ class PayToEdit(QTextEdit):
            self.unlock_amount()


-
    def get_outputs(self):
-
-        if self.payto_address:
-            
-            if not bitcoin.is_address(self.payto_address):
-                QMessageBox.warning(self, _('Error'), _('Invalid Bitcoin Address') + ':\n' + self.payto_address, _('OK'))
-                return
-
-            try:
-                amount = self.amount_edit.get_amount()
-            except Exception:
-                QMessageBox.warning(self, _('Error'), _('Invalid Amount'), _('OK'))
-                return
-
-            outputs = [(self.payto_address, amount)]
-            return outputs
-
        return self.outputs


--- a/lib/paymentrequest.py
+++ b/lib/paymentrequest.py
@ -57,9 +57,6 @@ class PaymentRequest:
        self.outputs = []
        self.error = ""

-    def get_amount(self):
-        return sum(map(lambda x:x[1], self.outputs))
-

    def verify(self):
        u = urlparse.urlparse(self.url)
--- a/lib/wallet.py
+++ b/lib/wallet.py
@ -118,7 +118,7 @@ class WalletStorage:
        with self.lock:
            if value is not None:
                self.data[key] = value
-            else:
+            elif key in self.data:
                self.data.pop(key)
            if save: 
                self.write()