1.4.2 and RPC bugs

Fixed a potential CSRF bug in the RPC for the GUI wallet.

Fixed a bug where it was reading the incorrect mixin in the RPC.

 Changed the version to 1.4.2

contrib/epee/include/net/http_protocol_handler.h

@@ -56,6 +56,7 @@ namespace net_utils
 			std::string m_folder;
 			std::vector<std::string> m_access_control_origins;
 			boost::optional<login> m_user;
+                        std::string m_required_user_agent;
 			critical_section m_lock;
 		};
 

contrib/epee/include/net/http_protocol_handler.inl

@@ -419,6 +419,13 @@ namespace net_utils
 			return false;
 		}
 
+                if (!m_config.m_required_user_agent.empty() && m_query_info.m_header_info.m_user_agent != m_config.m_required_user_agent)
+                {
+			LOG_ERROR("simple_http_connection_handler<t_connection_context>::analize_cached_request_header_and_invoke_state(): unexpected user agent: " << m_query_info.m_header_info.m_user_agent);
+			m_state = http_state_error;
+			return false;
+                }
+
 		m_cache.erase(0, pos);
 
 		std::string req_command_str = m_query_info.m_full_request_str;

contrib/epee/include/net/http_server_impl_base.h

@@ -57,7 +57,7 @@ namespace epee
 
     bool init(std::function<void(size_t, uint8_t*)> rng, const std::string& bind_port = "0", const std::string& bind_ip = "0.0.0.0",
       std::vector<std::string> access_control_origins = std::vector<std::string>(),
-      boost::optional<net_utils::http::login> user = boost::none)
+      boost::optional<net_utils::http::login> user = boost::none, const std::string &user_agent = "")
     {
 
       //set self as callback handler
@@ -66,6 +66,8 @@ namespace epee
 
       //here set folder for hosting reqests
       m_net_server.get_config_object().m_folder = "";
+
+      m_net_server.get_config_object().m_required_user_agent = user_agent;
 
       //set access control allow origins if configured
       std::sort(access_control_origins.begin(), access_control_origins.end());

src/rpc/core_rpc_server.cpp

@@ -76,6 +76,7 @@ namespace cryptonote
     command_line::add_arg(desc, arg_restricted_rpc);
     command_line::add_arg(desc, arg_bootstrap_daemon_address);
     command_line::add_arg(desc, arg_bootstrap_daemon_login);
+    command_line::add_arg(desc, arg_user_agent);
     cryptonote::rpc_args::init_options(desc);
   }
   //------------------------------------------------------------------------------------------------------------------------------
@@ -97,6 +98,7 @@ namespace cryptonote
     m_restricted = restricted;
     m_nettype = nettype;
     m_net_server.set_threads_prefix("RPC");
+
 
     auto rpc_config = cryptonote::rpc_args::process(vm);
     if (!rpc_config)
@@ -133,7 +135,7 @@ namespace cryptonote
 
     auto rng = [](size_t len, uint8_t *ptr){ return crypto::rand(len, ptr); };
     return epee::http_server_impl_base<core_rpc_server, connection_context>::init(
-      rng, std::move(port), std::move(rpc_config->bind_ip), std::move(rpc_config->access_control_origins), std::move(http_login)
+      rng, std::move(port), std::move(rpc_config->bind_ip), std::move(rpc_config->access_control_origins), std::move(http_login), std::move(rpc_config->user_agent)
     );
   }
   //------------------------------------------------------------------------------------------------------------------------------
@@ -2232,4 +2234,10 @@ namespace cryptonote
     , "Specify username:password for the bootstrap daemon login"
     , ""
     };
+
+  const command_line::arg_descriptor<std::string> core_rpc_server::arg_user_agent = {
+      "user-agent"
+    , "Restrict RPC to clients using this user agent"
+    , ""
+    };
 }  // namespace cryptonote

src/rpc/core_rpc_server.h

@@ -58,6 +58,7 @@ namespace cryptonote
     static const command_line::arg_descriptor<bool> arg_restricted_rpc;
     static const command_line::arg_descriptor<std::string> arg_bootstrap_daemon_address;
     static const command_line::arg_descriptor<std::string> arg_bootstrap_daemon_login;
+    static const command_line::arg_descriptor<std::string> arg_user_agent;
 
     typedef epee::net_utils::connection_context_base connection_context;
 

src/rpc/rpc_args.cpp

@@ -41,6 +41,7 @@ namespace cryptonote
      , rpc_login({"rpc-login", rpc_args::tr("Specify username[:password] required for RPC server"), "", true})
      , confirm_external_bind({"confirm-external-bind", rpc_args::tr("Confirm rpc-bind-ip value is NOT a loopback (local) IP")})
      , rpc_access_control_origins({"rpc-access-control-origins", rpc_args::tr("Specify a comma separated list of origins to allow cross origin resource sharing"), ""})
+     , rpc_user_agent({"rpc-user-agent", rpc_args::tr("Specify the User-Agent to have the RPC server use, for secured RPC connections"), ""})
   {}
 
   const char* rpc_args::tr(const char* str) { return i18n_translate(str, "cryptonote::rpc_args"); }
@@ -52,6 +53,7 @@ namespace cryptonote
     command_line::add_arg(desc, arg.rpc_login);
     command_line::add_arg(desc, arg.confirm_external_bind);
     command_line::add_arg(desc, arg.rpc_access_control_origins);
+    command_line::add_arg(desc, arg.rpc_user_agent);
   }
 
   boost::optional<rpc_args> rpc_args::process(const boost::program_options::variables_map& vm)
@@ -118,6 +120,8 @@ namespace cryptonote
       config.access_control_origins = std::move(access_control_origins);
     }
 
+    config.user_agent = command_line::get_arg(vm, arg.rpc_user_agent);
+
     return {std::move(config)};
   }
 }

src/rpc/rpc_args.h

@@ -54,6 +54,7 @@ namespace cryptonote
       const command_line::arg_descriptor<std::string> rpc_login;
       const command_line::arg_descriptor<bool> confirm_external_bind;
       const command_line::arg_descriptor<std::string> rpc_access_control_origins;
+      const command_line::arg_descriptor<std::string> rpc_user_agent;
     };
 
     static const char* tr(const char* str);
@@ -64,6 +65,7 @@ namespace cryptonote
 
     std::string bind_ip;
     std::vector<std::string> access_control_origins;
+    std::string user_agent;
     boost::optional<tools::login> login; // currently `boost::none` if unspecified by user
   };
 }

src/version.cpp.in

@@ -1,5 +1,5 @@
 #define DEF_XCASH_VERSION_TAG "@VERSIONTAG@"
-#define DEF_XCASH_VERSION "1.4.1"
+#define DEF_XCASH_VERSION "1.4.2"
 #define DEF_XCASH_RELEASE_NAME ""
 #define DEF_XCASH_VERSION_FULL DEF_XCASH_VERSION "-" DEF_XCASH_VERSION_TAG
 

src/wallet/wallet2.cpp

@@ -6199,7 +6199,7 @@ return use_fork_rules(HF_VERSION_MIN_MIXIN_20,10) == true ? 21 : 11;
 //------------------------------------------------------------------------------------------------------------------------------
 uint64_t wallet2::adjust_mixin(uint64_t mixin) const
 {
-  const uint64_t ringsize = mixin++;
+  const uint64_t ringsize = mixin + 1;
   const uint64_t min_ring_size = get_min_ring_size();
   const uint64_t max_ring_size = get_max_ring_size();
 

src/wallet/wallet_rpc_server.cpp

@@ -236,7 +236,7 @@ namespace tools
     m_net_server.set_threads_prefix("RPC");
     auto rng = [](size_t len, uint8_t *ptr) { return crypto::rand(len, ptr); };
     return epee::http_server_impl_base<wallet_rpc_server, connection_context>::init(
-      rng, std::move(bind_port), std::move(rpc_config->bind_ip), std::move(rpc_config->access_control_origins), std::move(http_login)
+      rng, std::move(bind_port), std::move(rpc_config->bind_ip), std::move(rpc_config->access_control_origins), std::move(http_login), std::move(rpc_config->user_agent)
     );
   }
   //------------------------------------------------------------------------------------------------------------------------------