Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Leftover: Possibly unsafe / phishing hole in code (server side string shown to user)

See original GitHub issue

I just caught this in Electron Cash – and noticed you guys have this too:

https://github.com/spesmilo/electrum/blob/371e1a6ebff4cf7660edf7d586a47dfc940e4263/electrum/gui/qt/main_window.py#L1843

Note the request.error string comes from the server. It can contain anything, including text that tells the user to do funny stuff.

Issue Analytics

State:
Created 4 years ago
Comments:5 (5 by maintainers)

Top GitHub Comments

2reactions

SomberNightcommented, Jun 5, 2019

It looks to me that Bitcoin Core is doing the same: https://github.com/bitcoin/bitcoin/blob/758c6d784da0f191c408fda97b3071dd7e1fe8a0/src/qt/paymentserver.cpp#L718-L726

Although I am not familiar with that codebase, I think the error message is displayed to the user in the GUI in a very similar fashion.

0reactions

cculianucommented, Jun 5, 2019

Opened an issue in core: https://github.com/bitcoin/bitcoin/issues/16154

Top Results From Across the Web

How to hack an unpatched Exchange server with rogue ...

Review your servers, your patches and your authentication policies - there's a proof-of-concept out.

Cannot turn off "potentially unsafe when doing server-side ...

Suggested solution: Provide a way to turn off these warnings if users don't want them. Provide a link, or some documentation, as to...

CODE REVIEW GUIDE - OWASP Foundation

string patterns deemed to potentially cause security vulnerabilities. ... A vulnerability found during code review may turn out not to be exploitable during ......

Сообщество Steam :: No More Room in Hell - Steam Community

Added ability to drop all selected ammo by right clicking in the radial wheel (#1280); Added barricade board sounds for damaging and breaking...

Release Notes - OpenSSH

sftp-server(8): add a "users-groups-by-id@openssh.com" extension request that allows ... sshd(8): fix possible string truncation when constructing paths to ...