aboutsummaryrefslogtreecommitdiffstats
path: root/rpc
diff options
context:
space:
mode:
authorMartin Holst Swende <martin@swende.se>2018-09-25 21:54:58 +0800
committerGitHub <noreply@github.com>2018-09-25 21:54:58 +0800
commitd3441ebb563439bac0837d70591f92e2c6080303 (patch)
treecec46689f8ec4fd4570322e79ad7167c3b792c74 /rpc
parenta95a601f35c49be6045de522138f639fbb68c885 (diff)
downloaddexon-d3441ebb563439bac0837d70591f92e2c6080303.tar
dexon-d3441ebb563439bac0837d70591f92e2c6080303.tar.gz
dexon-d3441ebb563439bac0837d70591f92e2c6080303.tar.bz2
dexon-d3441ebb563439bac0837d70591f92e2c6080303.tar.lz
dexon-d3441ebb563439bac0837d70591f92e2c6080303.tar.xz
dexon-d3441ebb563439bac0837d70591f92e2c6080303.tar.zst
dexon-d3441ebb563439bac0837d70591f92e2c6080303.zip
cmd/clef, signer: security fixes (#17554)
* signer: remove local path disclosure from extapi * signer: show more data in cli ui * rpc: make http server forward UA and Origin via Context * signer, clef/core: ui changes + display UA and Origin * signer: cliui - indicate less trust in remote headers, see https://github.com/ethereum/go-ethereum/issues/17637 * signer: prevent possibility swap KV-entries in aes_gcm storage, fixes #17635 * signer: remove ecrecover from external API * signer,clef: default reject instead of warn + valideate new passwords. fixes #17632 and #17631 * signer: check calldata length even if no ABI signature is present * signer: fix failing testcase * clef: remove account import from external api * signer: allow space in passwords, improve error messsage * signer/storage: fix typos
Diffstat (limited to 'rpc')
-rw-r--r--rpc/http.go6
1 files changed, 6 insertions, 0 deletions
diff --git a/rpc/http.go b/rpc/http.go
index 9e4f2b261..af79858e2 100644
--- a/rpc/http.go
+++ b/rpc/http.go
@@ -238,6 +238,12 @@ func (srv *Server) ServeHTTP(w http.ResponseWriter, r *http.Request) {
ctx = context.WithValue(ctx, "remote", r.RemoteAddr)
ctx = context.WithValue(ctx, "scheme", r.Proto)
ctx = context.WithValue(ctx, "local", r.Host)
+ if ua := r.Header.Get("User-Agent"); ua != "" {
+ ctx = context.WithValue(ctx, "User-Agent", ua)
+ }
+ if origin := r.Header.Get("Origin"); origin != "" {
+ ctx = context.WithValue(ctx, "Origin", origin)
+ }
body := io.LimitReader(r.Body, maxRequestContentLength)
codec := NewJSONCodec(&httpReadWriteNopCloser{body, w})