Merge branch 'rpcpassword' of https://github.com/gmaxwell/bitcoin

2012-02-06 15:10:30 -05:00 · 2012-02-06 15:10:30 -05:00 · 0b9a05a2bc
parent 30999ec6f9 b04f301c8e
commit 0b9a05a2bc
1 changed files with 16 additions and 7 deletions
--- a/src/bitcoinrpc.cpp
+++ b/src/bitcoinrpc.cpp
@ -2368,18 +2368,25 @@ void ThreadRPCServer2(void* parg)
    printf("ThreadRPCServer started\n");

    strRPCUserColonPass = mapArgs["-rpcuser"] + ":" + mapArgs["-rpcpassword"];
-    if (strRPCUserColonPass == ":")
+    if (mapArgs["-rpcpassword"] == "")
    {
+        unsigned char rand_pwd[32];
+        RAND_bytes(rand_pwd, 32);
        string strWhatAmI = "To use bitcoind";
        if (mapArgs.count("-server"))
            strWhatAmI = strprintf(_("To use the %s option"), "\"-server\"");
        else if (mapArgs.count("-daemon"))
            strWhatAmI = strprintf(_("To use the %s option"), "\"-daemon\"");
        PrintConsole(
-            _("Error: %s, you must set rpcpassword=<password>\nin the configuration file: %s\n"
+            _("Error: %s, you must set a rpcpassword in the configuration file:\n %s\n"
+              "It is recommended you use the following random password:\n"
+              "rpcuser=bitcoinrpc\n"
+              "rpcpassword=%s\n"
+              "(you do not need to remember this password)\n"
              "If the file does not exist, create it with owner-readable-only file permissions.\n"),
                strWhatAmI.c_str(),
-                GetConfigFile().c_str());
+                GetConfigFile().c_str(),
+                EncodeBase58(&rand_pwd[0],&rand_pwd[0]+32).c_str());
 #ifndef QT_GUI
        CreateThread(Shutdown, NULL);
 #endif
@ -2468,12 +2475,14 @@ void ThreadRPCServer2(void* parg)
        }
        if (!HTTPAuthorized(mapHeaders))
        {
-            // Deter brute-forcing short passwords
-            if (mapArgs["-rpcpassword"].size() < 15)
-                Sleep(50);
+            printf("ThreadRPCServer incorrect password attempt from %s\n",peer.address().to_string().c_str());
+            /* Deter brute-forcing short passwords.
+               If this results in a DOS the user really
+               shouldn't have their RPC port exposed.*/
+            if (mapArgs["-rpcpassword"].size() < 20)
+                Sleep(250);

            stream << HTTPReply(401, "") << std::flush;
-            printf("ThreadRPCServer incorrect password attempt\n");
            continue;
        }