Filter result of eth.accounts even for batch IPC calls #1114

Merged
merged 2 commits into from Sep 5, 2016

Projects

None yet

2 participants

@hiddentao
Contributor

This fixes a security issue raised earlier. Although eth.accounts are filtered according to what's visible to the active Mist tab it was still possible to retrieve all accounts by making the same call as part of a batch IPC request. This PR fixes that.

@hiddentao hiddentao added this to the 0.8.2 milestone Aug 25, 2016
@hiddentao hiddentao commented on the diff Aug 25, 2016
modules/ipc/ipcProviderBackend.js
@@ -26,6 +26,7 @@ const ERRORS = {
METHOD_TIMEOUT: {"code": -32603, "message": "Request timed out for method \'__method__\'."},
TX_DENIED: {"code": -32603, "message": "Transaction denied"},
BATCH_TX_DENIED: {"code": -32603, "message": "Transactions denied, sendTransaction is not allowed in batch requests."},
+ BATCH_COMPILE_DENIED: {"code": -32603, "message": "Compilation denied, compileSolidity is not allowed in batch requests."},
@hiddentao
hiddentao Aug 25, 2016 Contributor

This wasn't necessary for the fix but I added it anyway. You can't do a contract compilation as part of a batch call because we don't support that.

@hiddentao hiddentao modified the milestone: 0.8.3, 0.8.2 Aug 25, 2016
@hiddentao
Contributor

More fixes added.

@alexvandesande alexvandesande merged commit 06d12a6 into ethereum:develop Sep 5, 2016

1 check passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment