aboutsummaryrefslogtreecommitdiff
path: root/src/rpc/core_rpc_server.cpp
diff options
context:
space:
mode:
authormoneromooo-monero <moneromooo-monero@users.noreply.github.com>2021-10-24 16:49:11 +0000
committermoneromooo-monero <moneromooo-monero@users.noreply.github.com>2021-10-24 17:17:12 +0000
commite8e507f36f864c5558aaa15024673ac5cb66289f (patch)
treede723c09f323f9ac58c8ffa916da559b3008085c /src/rpc/core_rpc_server.cpp
parentMerge pull request #8001 (diff)
downloadmonero-e8e507f36f864c5558aaa15024673ac5cb66289f.tar.xz
rpc: fix DoS vector in get_output_distribution
This will prevent people spending old pre-rct outputs using a stranger's node, which may be a good thing
Diffstat (limited to 'src/rpc/core_rpc_server.cpp')
-rw-r--r--src/rpc/core_rpc_server.cpp15
1 files changed, 15 insertions, 0 deletions
diff --git a/src/rpc/core_rpc_server.cpp b/src/rpc/core_rpc_server.cpp
index da36f3c64..2ccaac57a 100644
--- a/src/rpc/core_rpc_server.cpp
+++ b/src/rpc/core_rpc_server.cpp
@@ -3164,6 +3164,14 @@ namespace cryptonote
if (use_bootstrap_daemon_if_necessary<COMMAND_RPC_GET_OUTPUT_DISTRIBUTION>(invoke_http_mode::JON_RPC, "get_output_distribution", req, res, r))
return r;
+ const bool restricted = m_restricted && ctx;
+ if (restricted && req.amounts != std::vector<uint64_t>(1, 0))
+ {
+ error_resp.code = CORE_RPC_ERROR_CODE_RESTRICTED;
+ error_resp.message = "Restricted RPC can only get output distribution for rct outputs. Use your own node.";
+ return false;
+ }
+
size_t n_0 = 0, n_non0 = 0;
for (uint64_t amount: req.amounts)
if (amount) ++n_non0; else ++n_0;
@@ -3205,6 +3213,13 @@ namespace cryptonote
if (use_bootstrap_daemon_if_necessary<COMMAND_RPC_GET_OUTPUT_DISTRIBUTION>(invoke_http_mode::BIN, "/get_output_distribution.bin", req, res, r))
return r;
+ const bool restricted = m_restricted && ctx;
+ if (restricted && req.amounts != std::vector<uint64_t>(1, 0))
+ {
+ res.status = "Restricted RPC can only get output distribution for rct outputs. Use your own node.";
+ return false;
+ }
+
size_t n_0 = 0, n_non0 = 0;
for (uint64_t amount: req.amounts)
if (amount) ++n_non0; else ++n_0;