Don't reveal whether password is <20 or >20 characters in RPC

As discussed on IRC. It seems bad to base a decision to delay based on the password length, as it leaks a small amount of information.
bitcoin · Aug 19, 2014 · 01094bd · 01094bd
1 parent dd28197
commit 01094bd
Showing 1 changed file with 2 additions and 3 deletions.
diff --git a/src/rpcserver.cpp b/src/rpcserver.cpp
@@ -849,11 +849,10 @@ static bool HTTPReq_JSONRPC(AcceptedConnection *conn,
     if (!HTTPAuthorized(mapHeaders))
     {
         LogPrintf("ThreadRPCServer incorrect password attempt from %s\n", conn->peer_address_to_string());
-        /* Deter brute-forcing short passwords.
+        /* Deter brute-forcing
            If this results in a DoS the user really
            shouldn't have their RPC port exposed. */
-        if (mapArgs["-rpcpassword"].size() < 20)
-            MilliSleep(250);
+        MilliSleep(250);
 
         conn->stream() << HTTPError(HTTP_UNAUTHORIZED, false) << std::flush;
         return false;