From af0715e4767ac636871adafb9e9792003dac08b2 Mon Sep 17 00:00:00 2001 From: ThomasV Date: Fri, 12 Jan 2018 15:10:59 +0100 Subject: [PATCH] backport security updates: disable CORS and JSONRPC in gui --- electrum | 4 ++-- lib/daemon.py | 43 +++++++++++++++---------------------------- 2 files changed, 17 insertions(+), 30 deletions(-) diff --git a/electrum b/electrum index 2990639f5..2705125b5 100755 --- a/electrum +++ b/electrum @@ -372,7 +372,7 @@ if __name__ == '__main__': fd, server = daemon.get_fd_or_server(config) if fd is not None: plugins = init_plugins(config, config.get('gui', 'qt')) - d = daemon.Daemon(config, fd) + d = daemon.Daemon(config, fd, True) d.start() d.init_gui(config, plugins) sys.exit(0) @@ -393,7 +393,7 @@ if __name__ == '__main__': print_stderr("starting daemon (PID %d)" % pid) sys.exit(0) init_plugins(config, 'cmdline') - d = daemon.Daemon(config, fd) + d = daemon.Daemon(config, fd, False) d.start() if config.get('websocket_server'): from electrum import websockets diff --git a/lib/daemon.py b/lib/daemon.py index a4ba02234..0b674af2c 100644 --- a/lib/daemon.py +++ b/lib/daemon.py @@ -29,7 +29,7 @@ import sys import time import jsonrpclib -from jsonrpclib.SimpleJSONRPCServer import SimpleJSONRPCServer, SimpleJSONRPCRequestHandler +from jsonrpclib.SimpleJSONRPCServer import SimpleJSONRPCServer from version import ELECTRUM_VERSION from network import Network @@ -85,23 +85,9 @@ def get_server(config): time.sleep(1.0) - -class RequestHandler(SimpleJSONRPCRequestHandler): - - def do_OPTIONS(self): - self.send_response(200) - self.end_headers() - - def end_headers(self): - self.send_header("Access-Control-Allow-Headers", - "Origin, X-Requested-With, Content-Type, Accept") - self.send_header("Access-Control-Allow-Origin", "*") - SimpleJSONRPCRequestHandler.end_headers(self) - - class Daemon(DaemonThread): - def __init__(self, config, fd): + def __init__(self, config, fd, is_gui): DaemonThread.__init__(self) self.config = config if config.get('offline'): @@ -116,15 +102,13 @@ class Daemon(DaemonThread): self.gui = None self.wallets = {} # Setup JSONRPC server - self.cmd_runner = Commands(self.config, None, self.network) - self.init_server(config, fd) + self.init_server(config, fd, is_gui) - def init_server(self, config, fd): + def init_server(self, config, fd, is_gui): host = config.get('rpchost', '127.0.0.1') port = config.get('rpcport', 0) try: - server = SimpleJSONRPCServer((host, port), logRequests=False, - requestHandler=RequestHandler) + server = SimpleJSONRPCServer((host, port), logRequests=False) except: self.print_error('Warning: cannot initialize RPC server on host', host) self.server = None @@ -132,14 +116,17 @@ class Daemon(DaemonThread): return os.write(fd, repr((server.socket.getsockname(), time.time()))) os.close(fd) - server.timeout = 0.1 - for cmdname in known_commands: - server.register_function(getattr(self.cmd_runner, cmdname), cmdname) - server.register_function(self.run_cmdline, 'run_cmdline') - server.register_function(self.ping, 'ping') - server.register_function(self.run_daemon, 'daemon') - server.register_function(self.run_gui, 'gui') self.server = server + server.timeout = 0.1 + server.register_function(self.ping, 'ping') + if is_gui: + server.register_function(self.run_gui, 'gui') + else: + self.cmd_runner = Commands(self.config, None, self.network) + for cmdname in known_commands: + server.register_function(getattr(self.cmd_runner, cmdname), cmdname) + server.register_function(self.run_cmdline, 'run_cmdline') + server.register_function(self.run_daemon, 'daemon') def ping(self): return True