Don't reveal whether password is <20 or >20 characters in RPC
As discussed on IRC. It seems bad to base a decision to delay based on the password length, as it leaks a small amount of information.
This commit is contained in:
parent
dd2819701a
commit
01094bd01f
1 changed files with 2 additions and 3 deletions
|
@ -849,11 +849,10 @@ static bool HTTPReq_JSONRPC(AcceptedConnection *conn,
|
|||
if (!HTTPAuthorized(mapHeaders))
|
||||
{
|
||||
LogPrintf("ThreadRPCServer incorrect password attempt from %s\n", conn->peer_address_to_string());
|
||||
/* Deter brute-forcing short passwords.
|
||||
/* Deter brute-forcing
|
||||
If this results in a DoS the user really
|
||||
shouldn't have their RPC port exposed. */
|
||||
if (mapArgs["-rpcpassword"].size() < 20)
|
||||
MilliSleep(250);
|
||||
MilliSleep(250);
|
||||
|
||||
conn->stream() << HTTPError(HTTP_UNAUTHORIZED, false) << std::flush;
|
||||
return false;
|
||||
|
|
Loading…
Reference in a new issue