ARCHIVE/rippled
1
0
Fork 0
mirror of https://github.com/XRPLF/rippled.git synced 2025-11-21 19:45:53 +00:00
Code Issues Packages Projects Releases Wiki Activity

Change the security model for RPC admin access.

Browse Source
This commit is contained in:
Arthur Britto
2013-01-18 00:36:22 -08:00
parent f6202011fd
commit bda80d4144
11 changed files with 98 additions and 32 deletions
Download Patch File Download Diff File Expand all files Collapse all files

31
src/cpp/ripple/RPCServer.cpp
View File

@@ -32,9 +32,6 @@ RPCServer::RPCServer(boost::asio::io_service& io_service , NetworkOPs* nopNetwor
void RPCServer::connected()
{
//std::cerr << "RPC request" << std::endl;
if (mSocket.remote_endpoint().address().to_string()=="127.0.0.1") mRole = RPCHandler::ADMIN;
else mRole = RPCHandler::GUEST;
boost::asio::async_read_until(mSocket, mLineBuffer, "\r\n",
boost::bind(&RPCServer::handle_read_line, shared_from_this(), boost::asio::placeholders::error));
}
@@ -114,16 +111,17 @@ std::string RPCServer::handleRequest(const std::string& requestStr)
Json::Value id;
// Parse request
Json::Value valRequest;
Json::Reader reader;
if (!reader.parse(requestStr, valRequest) || valRequest.isNull() || !valRequest.isObject())
Json::Value jvRequest;
Json::Reader reader;
if (!reader.parse(requestStr, jvRequest) || jvRequest.isNull() || !jvRequest.isObject())
return(HTTPReply(400, "unable to parse request"));
// Parse id now so errors from here on will have the id
id = valRequest["id"];
id = jvRequest["id"];
// Parse method
Json::Value valMethod = valRequest["method"];
Json::Value valMethod = jvRequest["method"];
if (valMethod.isNull())
return(HTTPReply(400, "null method"));
if (!valMethod.isString())
@@ -131,11 +129,24 @@ std::string RPCServer::handleRequest(const std::string& requestStr)
std::string strMethod = valMethod.asString();
// Parse params
Json::Value valParams = valRequest["params"];
Json::Value valParams = jvRequest["params"];
if (valParams.isNull())
{
valParams = Json::Value(Json::arrayValue);
}
else if (!valParams.isArray())
return(HTTPReply(400, "params unparseable"));
{
return HTTPReply(400, "params unparseable");
}
mRole = iAdminGet(jvRequest, mSocket.remote_endpoint().address().to_string());
if (RPCHandler::FORBID == mRole)
{
// XXX This needs rate limiting to prevent brute forcing password.
return HTTPReply(403, "Forbidden");
}
RPCHandler mRPCHandler(mNetOps);