From 01094bd01f5d999b7da698c0e655cf723afa8ebb Mon Sep 17 00:00:00 2001 From: "Wladimir J. van der Laan" Date: Tue, 19 Aug 2014 14:40:11 +0200 Subject: [PATCH] Don't reveal whether password is <20 or >20 characters in RPC As discussed on IRC. It seems bad to base a decision to delay based on the password length, as it leaks a small amount of information. --- src/rpcserver.cpp | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/src/rpcserver.cpp b/src/rpcserver.cpp index 3b51c91e7..524627e2d 100644 --- a/src/rpcserver.cpp +++ b/src/rpcserver.cpp @@ -849,11 +849,10 @@ static bool HTTPReq_JSONRPC(AcceptedConnection *conn, if (!HTTPAuthorized(mapHeaders)) { LogPrintf("ThreadRPCServer incorrect password attempt from %s\n", conn->peer_address_to_string()); - /* Deter brute-forcing short passwords. + /* Deter brute-forcing If this results in a DoS the user really shouldn't have their RPC port exposed. */ - if (mapArgs["-rpcpassword"].size() < 20) - MilliSleep(250); + MilliSleep(250); conn->stream() << HTTPError(HTTP_UNAUTHORIZED, false) << std::flush; return false;