Skip to content

test: Assert RPC Server binds before creating cookie#26964

Closed
willcl-ark wants to merge 3 commits intobitcoin:masterfrom
willcl-ark:2023-01-cookie-bind
Closed

test: Assert RPC Server binds before creating cookie#26964
willcl-ark wants to merge 3 commits intobitcoin:masterfrom
willcl-ark:2023-01-cookie-bind

Conversation

@willcl-ark
Copy link
Copy Markdown
Member

@willcl-ark willcl-ark commented Jan 25, 2023

If the RPC server does not bind first there exists a race condition between malware and bitcoind to bind to the port and recieve a cookie request from external application.

This test relies on the order of log messages, which may (I don't know) be slightly brittle. However because both InitHTTPServer() and StartHTTPRPC() are called in single-threaded series from within AppInitServers() it should work well enough.

bitcoin/src/init.cpp

Lines 667 to 672 in 50ac8f5

if (!InitHTTPServer())
return false;
StartRPC();
node.rpc_interruption_point = RpcInterruptionPoint;
if (!StartHTTPRPC(&node))
return false;

@willcl-ark
test: add ordered log checking to assert_debug_log
373ba60 
This allows specification that log entries should be detected in the
order they are passed in through their argument list.
@willcl-ark
test: assert RPC binds before creating cookie
4c4b01e 
If we don't bind before creating the authentication cookie a race
condition exists where malware could restart the node, bind to the RPC
port and read the current cookie before bitcoind binds.
@willcl-ark
test: remove unused url from rpc_users.py
1c07564
@DrahtBot
Copy link
Copy Markdown
Contributor

DrahtBot commented Jan 25, 2023
edited
Loading

The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.

Reviews

See the guideline for information on the review process.
A summary of reviews will appear here.

Conflicts

No conflicts as of last run.

@maflcko maflcko changed the title Assert RPC Server binds before creating cookie test: Assert RPC Server binds before creating cookie Jan 25, 2023
@DrahtBot DrahtBot added the Tests label Jan 25, 2023
@willcl-ark willcl-ark mentioned this pull request Jan 25, 2023
Merged
@DrahtBot DrahtBot mentioned this pull request Jan 26, 2023
Draft
This was referenced Feb 11, 2023
Draft
Draft
@achow101
Copy link
Copy Markdown
Member

achow101 commented Apr 25, 2023

The feature request didn't seem to attract much attention in the past. Also, the issue seems not important enough right now to keep it sitting around idle in the list of open issues.

Closing due to lack of interest. Pull requests with improvements are always welcome.

@achow101 achow101 closed this Apr 25, 2023
@luke-jr
Copy link
Copy Markdown
Member

luke-jr commented Jun 22, 2023
edited
Loading

Is this related to CVE-2018-20587?

@achow101 This appears to be a security fix, not a feature request :|

Edit: This doesn't fix anything, just tests for correct behaviour.

@bitcoin bitcoin locked and limited conversation to collaborators Sep 14, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

No reviews

Assignees

No one assigned

Labels

Tests

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@willcl-ark @DrahtBot @achow101 @luke-jr