From 7e1610d51ebdb520dac397d74bc92c3448eb3e02 Mon Sep 17 00:00:00 2001
From: Jeff Garzik <jgarzik@exmulti.com>
Date: Mon, 5 Nov 2012 01:41:53 -0500
Subject: [PATCH] RPC: Forbid RPC username == RPC password

Added security measure.
---
 src/bitcoinrpc.cpp | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/bitcoinrpc.cpp b/src/bitcoinrpc.cpp
index 8c04f577d..07b616438 100644
--- a/src/bitcoinrpc.cpp
+++ b/src/bitcoinrpc.cpp
@@ -748,7 +748,8 @@ void ThreadRPCServer2(void* parg)
     printf("ThreadRPCServer started\n");
 
     strRPCUserColonPass = mapArgs["-rpcuser"] + ":" + mapArgs["-rpcpassword"];
-    if (mapArgs["-rpcpassword"] == "")
+    if ((mapArgs["-rpcpassword"] == "") ||
+        (mapArgs["-rpcuser"] == mapArgs["-rpcpassword"]))
     {
         unsigned char rand_pwd[32];
         RAND_bytes(rand_pwd, 32);
@@ -763,6 +764,7 @@ void ThreadRPCServer2(void* parg)
               "rpcuser=bitcoinrpc\n"
               "rpcpassword=%s\n"
               "(you do not need to remember this password)\n"
+              "The username and password MUST NOT be the same.\n"
               "If the file does not exist, create it with owner-readable-only file permissions.\n"),
                 strWhatAmI.c_str(),
                 GetConfigFile().string().c_str(),