Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[FIX] Disable debug/vars #745

Merged
merged 1 commit into from
Oct 5, 2022
Merged

[FIX] Disable debug/vars #745

merged 1 commit into from
Oct 5, 2022

Conversation

ZeljkoBenovic
Copy link
Contributor

Description

For some reason, debug/vars URL endpoint on the json-rpc http API is enabled by default when DefaultServeMux is used, even though expvar package is not imported anywhere.

This presents a potential security issue and needs to be disabled by using NewServeMux function, instead of DefaultServeMux.

Changes include

  • Bugfix (non-breaking change that solves an issue)
  • Hotfix (change that solves an urgent issue, and requires immediate attention)
  • New feature (non-breaking change that adds functionality)
  • Breaking change (change that is not backwards-compatible and/or changes current functionality)

Checklist

  • I have assigned this PR to myself
  • I have added at least 1 reviewer
  • I have added the relevant labels
  • I have updated the official documentation
  • I have added sufficient documentation in code

Testing

  • I have tested this code with the official test suite
  • I have tested this code manually

Manual tests

Compile binary from this branch and query debug/vars GET endpoint on JSON-RPC API. For example: localhost:8545/debug/vars. You should get the default GET output.

Additional comments

Fixes EDGE-856

@ZeljkoBenovic ZeljkoBenovic added the bug fix Functionality that fixes a bug label Sep 21, 2022
@ZeljkoBenovic ZeljkoBenovic self-assigned this Sep 21, 2022
zivkovicmilos
zivkovicmilos approved these changes Sep 29, 2022
View reviewed changes
Copy link
Contributor

@zivkovicmilos zivkovicmilos left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch 💯

@ZeljkoBenovic ZeljkoBenovic merged commit 41cf837 into develop Oct 5, 2022
@github-actions github-actions bot locked and limited conversation to collaborators Oct 5, 2022
@zivkovicmilos zivkovicmilos deleted the fix/disable-default-debug_vars branch October 11, 2022 12:44
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@zivkovicmilos zivkovicmilos zivkovicmilos approved these changes

@Kourin1996 Kourin1996 Kourin1996 approved these changes

@epikichi epikichi epikichi approved these changes

@lazartravica lazartravica Awaiting requested review from lazartravica

@dbrajovic dbrajovic Awaiting requested review from dbrajovic

@0xAleksaOpacic 0xAleksaOpacic Awaiting requested review from 0xAleksaOpacic

Assignees

@ZeljkoBenovic ZeljkoBenovic

Labels
bug fix Functionality that fixes a bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@ZeljkoBenovic @zivkovicmilos @Kourin1996 @epikichi