backport security updates: disable CORS and JSONRPC in gui

electrum

@@ -372,7 +372,7 @@ if __name__ == '__main__':
         fd, server = daemon.get_fd_or_server(config)
         if fd is not None:
             plugins = init_plugins(config, config.get('gui', 'qt'))
-            d = daemon.Daemon(config, fd)
+            d = daemon.Daemon(config, fd, True)
             d.start()
             d.init_gui(config, plugins)
             sys.exit(0)
@@ -393,7 +393,7 @@ if __name__ == '__main__':
                         print_stderr("starting daemon (PID %d)" % pid)
                         sys.exit(0)
                 init_plugins(config, 'cmdline')
-                d = daemon.Daemon(config, fd)
+                d = daemon.Daemon(config, fd, False)
                 d.start()
                 if config.get('websocket_server'):
                     from electrum import websockets

lib/daemon.py

@@ -29,7 +29,7 @@ import sys
 import time
 
 import jsonrpclib
-from jsonrpclib.SimpleJSONRPCServer import SimpleJSONRPCServer, SimpleJSONRPCRequestHandler
+from jsonrpclib.SimpleJSONRPCServer import SimpleJSONRPCServer
 
 from version import ELECTRUM_VERSION
 from network import Network
@@ -85,23 +85,9 @@ def get_server(config):
         time.sleep(1.0)
 
 
-
-class RequestHandler(SimpleJSONRPCRequestHandler):
-
-    def do_OPTIONS(self):
-        self.send_response(200)
-        self.end_headers()
-
-    def end_headers(self):
-        self.send_header("Access-Control-Allow-Headers",
-                         "Origin, X-Requested-With, Content-Type, Accept")
-        self.send_header("Access-Control-Allow-Origin", "*")
-        SimpleJSONRPCRequestHandler.end_headers(self)
-
-
 class Daemon(DaemonThread):
 
-    def __init__(self, config, fd):
+    def __init__(self, config, fd, is_gui):
         DaemonThread.__init__(self)
         self.config = config
         if config.get('offline'):
@@ -116,15 +102,13 @@ class Daemon(DaemonThread):
         self.gui = None
         self.wallets = {}
         # Setup JSONRPC server
-        self.cmd_runner = Commands(self.config, None, self.network)
+        self.init_server(config, fd, is_gui)
-        self.init_server(config, fd)
 
-    def init_server(self, config, fd):
+    def init_server(self, config, fd, is_gui):
         host = config.get('rpchost', '127.0.0.1')
         port = config.get('rpcport', 0)
         try:
-            server = SimpleJSONRPCServer((host, port), logRequests=False,
+            server = SimpleJSONRPCServer((host, port), logRequests=False)
-                                         requestHandler=RequestHandler)
         except:
             self.print_error('Warning: cannot initialize RPC server on host', host)
             self.server = None
@@ -132,14 +116,17 @@ class Daemon(DaemonThread):
             return
         os.write(fd, repr((server.socket.getsockname(), time.time())))
         os.close(fd)
-        server.timeout = 0.1
-        for cmdname in known_commands:
-            server.register_function(getattr(self.cmd_runner, cmdname), cmdname)
-        server.register_function(self.run_cmdline, 'run_cmdline')
-        server.register_function(self.ping, 'ping')
-        server.register_function(self.run_daemon, 'daemon')
-        server.register_function(self.run_gui, 'gui')
         self.server = server
+        server.timeout = 0.1
+        server.register_function(self.ping, 'ping')
+        if is_gui:
+            server.register_function(self.run_gui, 'gui')
+        else:
+            self.cmd_runner = Commands(self.config, None, self.network)
+            for cmdname in known_commands:
+                server.register_function(getattr(self.cmd_runner, cmdname), cmdname)
+            server.register_function(self.run_cmdline, 'run_cmdline')
+            server.register_function(self.run_daemon, 'daemon')
 
     def ping(self):
         return True