From fa9077724507faad207f29509a8202fc6ac9d502 Mon Sep 17 00:00:00 2001 From: MarcoFalke <*~=`'#}+{/-|&$^_@721217.xyz> Date: Fri, 19 Jul 2024 08:52:21 +0200 Subject: [PATCH] rest: Reject truncated hex txid early in getutxos parsing --- src/rest.cpp | 5 +++-- test/functional/interface_rest.py | 2 ++ 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/src/rest.cpp b/src/rest.cpp index 3cf6ad343c8..80e6b52938d 100644 --- a/src/rest.cpp +++ b/src/rest.cpp @@ -792,13 +792,14 @@ static bool rest_getutxos(const std::any& context, HTTPRequest* req, const std:: if (txid_out.size() != 2) { return RESTERR(req, HTTP_BAD_REQUEST, "Parse error"); } + auto txid{Txid::FromHex(txid_out.at(0))}; auto output{ToIntegral(txid_out.at(1))}; - if (!output || !IsHex(txid_out.at(0))) { + if (!txid || !output) { return RESTERR(req, HTTP_BAD_REQUEST, "Parse error"); } - vOutPoints.emplace_back(TxidFromString(txid_out.at(0)), *output); + vOutPoints.emplace_back(*txid, *output); } if (vOutPoints.size() > 0) diff --git a/test/functional/interface_rest.py b/test/functional/interface_rest.py index d547da9cf24..ba6e960476b 100755 --- a/test/functional/interface_rest.py +++ b/test/functional/interface_rest.py @@ -208,6 +208,8 @@ class RESTTest (BitcoinTestFramework): self.test_rest_request(f"/getutxos/{spending[0]}_+1", ret_type=RetType.OBJ, status=400) self.test_rest_request(f"/getutxos/{spending[0]}-+1", ret_type=RetType.OBJ, status=400) self.test_rest_request(f"/getutxos/{spending[0]}--1", ret_type=RetType.OBJ, status=400) + self.test_rest_request(f"/getutxos/{spending[0]}aa-1234", ret_type=RetType.OBJ, status=400) + self.test_rest_request(f"/getutxos/aa-1234", ret_type=RetType.OBJ, status=400) # Test limits long_uri = '/'.join([f"{txid}-{n_}" for n_ in range(20)])