[Qt] support for persisted rpc console history #5891
Conversation
|
Cool. Can you blacklist walletpassphrase? |
While developing i often use the rpc console for some quick checks. I always missed a persisted history. * This will add storing of the history. * "importprivkey" and "signrawtransaction" are blacklisted for the history (new: blacklisted also for the in-memory-history). * Last command will not get overwritten when browsing the history (shell like, but currently not possibility to store changed history commands till executing a new command)
jonasschnelli
force-pushed
the
2015/03/qt_console_update
branch
from
0117063
to
ead5585
Compare
|
@gmaxwell uh. How could i miss this! |
|
@paveljanik I did also add |
|
@jonasschnelli thanks. This is ultra-cool feature 👍 |
|
Rather than hardcoding a list of filtered stuff, maybe it should go where the parameter conversion is defined? (ideally masking out only the sensitive parameter(s)) |
|
Masking out specific parameters seems unduly complex. |
|
@luke-jr yes. I also thought about this. Especially for But i don't want to hold this back until it ends up in the bin because it was getting to complicate. :) |
|
Well, it could also be per-RPC and stored in the RPC info list rather than Qt code. OTOH, thinking on this further, it screws up modularity somewhat.. so maybe the list is for the better. Nit: this isn't a blacklist, so best to rename it to filter or something |
|
@luke-jr s/historyBlacklist/historyFilter/? |
|
Sure |
|
ACK |
|
Not sure this is best implemented as QSetting, because on Windows this is written to the registry. |
|
@Diapolo IMO windows registry or OSX library/preferences is a good place for storing the history. As long as there is a filter for the security critical rpc calls (and this PR comes with a filter). |
|
Okay, but could we use a better naming for |
|
@Diapolo oh yes. This var-name is wrong. Will change it. |
|
I tend towards NACK. Logging commands persistently is paramount to a privacy leak. At the very least this shouldn't be enabled by default. |
|
@laanwj Do you |
|
We already log RPC commands in debug.log, I'm not sure this is that much different? |
|
This logs arguments. |
|
@laanwj What if it were just per session only (e.g. not saving it to disk in any way)? I think that has 90% of the benefit and avoids 90% of the harm. |
|
Current master keeps a history in memory (per session). This PR would extend the session/in-memory history to a persisted "kept-on-disk" history. Indeed, the place where the history is stored would be selected by Qt/OS and it would be outside of Maybe a conclusion could be to add a UI option to enable/disable this feature. |
|
I don't know that an option to disable it solves that much; the sequence of events that most likely results in harm is that the user has no idea that the data is being saved-- so they wouldn't think to go find it, or knows it is but doesn't realize that later they'll regret it (because their system is subsequently compromised). |
|
There has been history per session ever since I added this console. The change here is to persist it between sessions.
Right. I don't keep persistent shell history if an account is used for anything sensitive like managing a wallet. Yes, the problem will be that people don't expect what they enter to be saved to disk. I don't think the slight extra convenience weighs up against this. We have good reason to be a bit paranoid.
That's a separate issue. Maybe we should be more prudent what is logged by default. 'We're already doing wrong thing!' is not a valid reason to do more of it. I would be somewhat more receptive to this if it as whitelist-based instead of blacklist-based. This would avoid sensitive new commands from being logged if someone forgets to update this file (which will happen). Then again, there is bound to be disagreement about what is safe and what is not. To me, it seems that this is not worth the extra complexity or worry. @jonasschnelli What kinds of commands would you want to repeat across sessions for "working / developing / debugging"? Is this use case not better solved with a script and JSON RPC? |
|
Yes. This feature is controversial and can harm your security (same as a bash/shell history). I started writing this when i did some GUI tests where "createrawtransaction", "signrawtransaction" was involved (and other chains of commands). So i had to write in again the tx-hex (copy&pase) every time i recompiled and restarted bitcoin-qt. There it was very handy to have a persistent history. What about adding a settings flag as discussed ("persist rpc console history [yes|no]")? |
|
Closing because this is controversial. |
While developing i often use the rpc console for some quick checks. I always missed a persisted history.
importprivkeyandsignrawtransactionare blacklisted for the history (new: blacklisted also for the in-memory-history).