From 7f718139191d67da29c5d856d29e035bbc51e659 Mon Sep 17 00:00:00 2001 From: Luke Dashjr Date: Wed, 17 Dec 2014 09:34:09 +0000 Subject: [PATCH] Bugfix: prioritisetransaction: Do some basic sanity checking on txid Besides giving a nicer error, this also prevents logging arbitrary data (which could have been used to exploit log readers) into debug.log --- src/core_io.h | 1 + src/core_read.cpp | 5 +++++ src/rpcmining.cpp | 3 +-- 3 files changed, 7 insertions(+), 2 deletions(-) diff --git a/src/core_io.h b/src/core_io.h index aba1928a3..bc2eb1edd 100644 --- a/src/core_io.h +++ b/src/core_io.h @@ -19,6 +19,7 @@ extern CScript ParseScript(std::string s); extern bool DecodeHexTx(CTransaction& tx, const std::string& strHexTx); extern bool DecodeHexBlk(CBlock&, const std::string& strHexBlk); extern uint256 ParseHashUV(const UniValue& v, const std::string& strName); +extern uint256 ParseHashStr(const std::string&, const std::string& strName); extern std::vector ParseHexUV(const UniValue& v, const std::string& strName); // core_write.cpp diff --git a/src/core_read.cpp b/src/core_read.cpp index 65c3a08c5..beb746ce9 100644 --- a/src/core_read.cpp +++ b/src/core_read.cpp @@ -131,6 +131,11 @@ uint256 ParseHashUV(const UniValue& v, const string& strName) string strHex; if (v.isStr()) strHex = v.getValStr(); + return ParseHashStr(strHex, strName); // Note: ParseHashStr("") throws a runtime_error +} + +uint256 ParseHashStr(const std::string& strHex, const std::string& strName) +{ if (!IsHex(strHex)) // Note: IsHex("") is false throw runtime_error(strName+" must be hexadecimal string (not '"+strHex+"')"); diff --git a/src/rpcmining.cpp b/src/rpcmining.cpp index 45899d3db..9694ec2ea 100644 --- a/src/rpcmining.cpp +++ b/src/rpcmining.cpp @@ -288,8 +288,7 @@ Value prioritisetransaction(const Array& params, bool fHelp) + HelpExampleRpc("prioritisetransaction", "\"txid\", 0.0, 10000") ); - uint256 hash; - hash.SetHex(params[0].get_str()); + uint256 hash = ParseHashStr(params[0].get_str(), "txid"); CAmount nAmount = params[2].get_int64();