Enable rpc whitelist by default if any rpcwhitelist is set, but allow…

… disabling
bitcoin · Nov 18, 2019 · 778219f · 778219f
1 parent 008dfa9
commit 778219f
Showing 1 changed file with 11 additions and 3 deletions.
diff --git a/src/httprpc.cpp b/src/httprpc.cpp
@@ -71,6 +71,7 @@ static std::string strRPCUserColonPass;
 static std::unique_ptr<HTTPRPCTimerInterface> httpRPCTimerInterface;
 /* RPC Auth Whitelist */
 static std::map<std::string, std::set<std::string>> rpc_whitelist;
+static bool rpc_whitelist_default = false;
 
 static void JSONErrorReply(HTTPRequest* req, const UniValue& objError, const UniValue& id)
 {
@@ -190,10 +191,16 @@ static bool HTTPReq_JSONRPC(HTTPRequest* req, const std::string &)
         jreq.URI = req->GetURI();
 
         std::string strReply;
+        bool user_has_whitelist = rpc_whitelist.count(jreq.authUser);
+        if (!user_has_whitelist && rpc_whitelist_default) {
+            LogPrintf("RPC User %s not allowed to call any methods\n", jreq.authUser);
+            req->WriteReply(HTTP_FORBIDDEN);
+            return false;
+
         // singleton request
-        if (valRequest.isObject()) {
+        } else if (valRequest.isObject()) {
             jreq.parse(valRequest);
-            if (rpc_whitelist.count(jreq.authUser) && !rpc_whitelist[jreq.authUser].count(jreq.strMethod)) {
+            if (user_has_whitelist && !rpc_whitelist[jreq.authUser].count(jreq.strMethod)) {
                 LogPrintf("RPC User %s not allowed to call method %s\n", jreq.authUser, jreq.strMethod);
                 req->WriteReply(HTTP_FORBIDDEN);
                 return false;
@@ -205,7 +212,7 @@ static bool HTTPReq_JSONRPC(HTTPRequest* req, const std::string &)
 
         // array of requests
         } else if (valRequest.isArray()) {
-            if (rpc_whitelist.count(jreq.authUser)) {
+            if (user_has_whitelist) {
                 for (unsigned int reqIdx = 0; reqIdx < valRequest.size(); reqIdx++) {
                     if (!valRequest[reqIdx].isObject()) {
                         throw JSONRPCError(RPC_INVALID_REQUEST, "Invalid Request object");
@@ -258,6 +265,7 @@ static bool InitRPCAuthentication()
         LogPrintf("Using rpcauth authentication.\n");
     }
 
+    rpc_whitelist_default = gArgs.GetBoolArg("-rpcwhitelistdefault", gArgs.IsArgSet("-rpcwhitelist"));
     for (const std::string& strRPCWhitelist : gArgs.GetArgs("-rpcwhitelist")) {
         auto pos = strRPCWhitelist.find(':');
         std::string strUser = strRPCWhitelist.substr(0, pos);