diff options
| author | gary rong <garyrong0905@gmail.com> | 2019-04-04 19:03:10 +0800 |
|---|---|---|
| committer | Péter Szilágyi <peterke@gmail.com> | 2019-04-04 19:03:10 +0800 |
| commit | d5cae48bae81cd6072255150162b26a3653f176e (patch) | |
| tree | e516341d29d6fbffbac0f389ef012fb273326c8b /cmd | |
| parent | 9b3601cfce4d61cd303f5e243813fa89426259d4 (diff) | |
| download | go-tangerine-d5cae48bae81cd6072255150162b26a3653f176e.tar go-tangerine-d5cae48bae81cd6072255150162b26a3653f176e.tar.gz go-tangerine-d5cae48bae81cd6072255150162b26a3653f176e.tar.bz2 go-tangerine-d5cae48bae81cd6072255150162b26a3653f176e.tar.lz go-tangerine-d5cae48bae81cd6072255150162b26a3653f176e.tar.xz go-tangerine-d5cae48bae81cd6072255150162b26a3653f176e.tar.zst go-tangerine-d5cae48bae81cd6072255150162b26a3653f176e.zip | |
accounts, cmd, internal: disable unlock account on open HTTP (#17037)
* cmd, accounts, internal, node, rpc, signer: insecure unlock protect
* all: strict unlock API by rpc
* cmd/geth: check before printing warning log
* accounts, cmd/geth, internal: tiny polishes
Diffstat (limited to 'cmd')
| -rw-r--r-- | cmd/geth/accountcmd.go | 4 | ||||
| -rw-r--r-- | cmd/geth/main.go | 38 | ||||
| -rw-r--r-- | cmd/geth/usage.go | 1 | ||||
| -rw-r--r-- | cmd/utils/flags.go | 7 |
4 files changed, 38 insertions, 12 deletions
diff --git a/cmd/geth/accountcmd.go b/cmd/geth/accountcmd.go index 071be8539..940290899 100644 --- a/cmd/geth/accountcmd.go +++ b/cmd/geth/accountcmd.go @@ -205,7 +205,7 @@ func accountList(ctx *cli.Context) error { } // tries unlocking the specified account a few times. -func unlockAccount(ctx *cli.Context, ks *keystore.KeyStore, address string, i int, passwords []string) (accounts.Account, string) { +func unlockAccount(ks *keystore.KeyStore, address string, i int, passwords []string) (accounts.Account, string) { account, err := utils.MakeAddress(ks, address) if err != nil { utils.Fatalf("Could not list accounts: %v", err) @@ -326,7 +326,7 @@ func accountUpdate(ctx *cli.Context) error { ks := stack.AccountManager().Backends(keystore.KeyStoreType)[0].(*keystore.KeyStore) for _, addr := range ctx.Args() { - account, oldPassword := unlockAccount(ctx, ks, addr, 0, nil) + account, oldPassword := unlockAccount(ks, addr, 0, nil) newPassword := getPassPhrase("Please give a new password. Do not forget this password.", true, 0, nil) if err := ks.Update(account, oldPassword, newPassword); err != nil { utils.Fatalf("Could not update the account: %v", err) diff --git a/cmd/geth/main.go b/cmd/geth/main.go index 3d96de312..1963a1a7f 100644 --- a/cmd/geth/main.go +++ b/cmd/geth/main.go @@ -57,6 +57,7 @@ var ( utils.IdentityFlag, utils.UnlockedAccountFlag, utils.PasswordFileFlag, + utils.InsecureUnlockAllowedFlag, utils.BootnodesFlag, utils.BootnodesV4Flag, utils.BootnodesV5Flag, @@ -298,16 +299,8 @@ func startNode(ctx *cli.Context, stack *node.Node) { utils.StartNode(stack) // Unlock any account specifically requested - if keystores := stack.AccountManager().Backends(keystore.KeyStoreType); len(keystores) > 0 { - ks := keystores[0].(*keystore.KeyStore) - passwords := utils.MakePasswordList(ctx) - unlocks := strings.Split(ctx.GlobalString(utils.UnlockedAccountFlag.Name), ",") - for i, account := range unlocks { - if trimmed := strings.TrimSpace(account); trimmed != "" { - unlockAccount(ctx, ks, trimmed, i, passwords) - } - } - } + unlockAccounts(ctx, stack) + // Register wallet event handlers to open and auto-derive wallets events := make(chan accounts.WalletEvent, 16) stack.AccountManager().Subscribe(events) @@ -401,3 +394,28 @@ func startNode(ctx *cli.Context, stack *node.Node) { } } } + +// unlockAccounts unlocks any account specifically requested. +func unlockAccounts(ctx *cli.Context, stack *node.Node) { + var unlocks []string + inputs := strings.Split(ctx.GlobalString(utils.UnlockedAccountFlag.Name), ",") + for _, input := range inputs { + if trimmed := strings.TrimSpace(input); trimmed != "" { + unlocks = append(unlocks, trimmed) + } + } + // Short circuit if there is no account to unlock. + if len(unlocks) == 0 { + return + } + // If insecure account unlocking is not allowed if node's APIs are exposed to external. + // Print warning log to user and skip unlocking. + if !stack.Config().InsecureUnlockAllowed && stack.Config().ExtRPCEnabled() { + utils.Fatalf("Account unlock with HTTP access is forbidden!") + } + ks := stack.AccountManager().Backends(keystore.KeyStoreType)[0].(*keystore.KeyStore) + passwords := utils.MakePasswordList(ctx) + for i, account := range unlocks { + unlockAccount(ks, account, i, passwords) + } +} diff --git a/cmd/geth/usage.go b/cmd/geth/usage.go index f1fb22f18..6d039ba04 100644 --- a/cmd/geth/usage.go +++ b/cmd/geth/usage.go @@ -148,6 +148,7 @@ var AppHelpFlagGroups = []flagGroup{ utils.UnlockedAccountFlag, utils.PasswordFileFlag, utils.ExternalSignerFlag, + utils.InsecureUnlockAllowedFlag, }, }, { diff --git a/cmd/utils/flags.go b/cmd/utils/flags.go index 2ce3a8801..f6e428869 100644 --- a/cmd/utils/flags.go +++ b/cmd/utils/flags.go @@ -444,6 +444,10 @@ var ( Name: "vmdebug", Usage: "Record information useful for VM and contract debugging", } + InsecureUnlockAllowedFlag = cli.BoolFlag{ + Name: "allow-insecure-unlock", + Usage: "Allow insecure account unlocking when account-related RPCs are exposed by http", + } // Logging and debug settings EthStatsURLFlag = cli.StringFlag{ Name: "ethstats", @@ -1130,6 +1134,9 @@ func SetNodeConfig(ctx *cli.Context, cfg *node.Config) { if ctx.GlobalIsSet(NoUSBFlag.Name) { cfg.NoUSB = ctx.GlobalBool(NoUSBFlag.Name) } + if ctx.GlobalIsSet(InsecureUnlockAllowedFlag.Name) { + cfg.InsecureUnlockAllowed = ctx.GlobalBool(InsecureUnlockAllowedFlag.Name) + } } func setDataDir(ctx *cli.Context, cfg *node.Config) { |