Skip to content

Commit 5d7f864

Browse files
luke-jrfurszy
luke-jr
authored and
furszy
committed
rpcbind: Warn about exposing RPC to untrusted networks
1 parent 2a6abd8 commit 5d7f864

File tree

2 files changed

+5
-1
lines changed

2 files changed

+5
-1
lines changed

src/httpserver.cpp

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -327,6 +327,10 @@ static bool HTTPBindAddresses(struct evhttp* http)
327327
LogPrint(BCLog::HTTP, "Binding RPC on address %s port %i\n", i->first, i->second);
328328
evhttp_bound_socket *bind_handle = evhttp_bind_socket_with_handle(http, i->first.empty() ? NULL : i->first.c_str(), i->second);
329329
if (bind_handle) {
330+
CNetAddr addr;
331+
if (i->first.empty() || (LookupHost(i->first, addr, false) && addr.IsBindAny())) {
332+
LogPrintf("WARNING: the RPC server is not safe to expose to untrusted networks such as the public internet\n");
333+
}
330334
boundSockets.push_back(bind_handle);
331335
} else {
332336
LogPrintf("Binding RPC on address %s port %i failed.\n", i->first, i->second);

src/init.cpp

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -600,7 +600,7 @@ std::string HelpMessage(HelpMessageMode mode)
600600
strUsage += HelpMessageGroup(_("RPC server options:"));
601601
strUsage += HelpMessageOpt("-server", _("Accept command line and JSON-RPC commands"));
602602
strUsage += HelpMessageOpt("-rest", strprintf(_("Accept public REST requests (default: %u)"), DEFAULT_REST_ENABLE));
603-
strUsage += HelpMessageOpt("-rpcbind=<addr>", _("Bind to given address to listen for JSON-RPC connections. This option is ignored unless -rpcallowip is also passed. Port is optional and overrides -rpcport. Use [host]:port notation for IPv6. This option can be specified multiple times (default: 127.0.0.1 and ::1 i.e., localhost)"));
603+
strUsage += HelpMessageOpt("-rpcbind=<addr>", _("Bind to given address to listen for JSON-RPC connections. Do not expose the RPC server to untrusted networks such as the public internet! This option is ignored unless -rpcallowip is also passed. Port is optional and overrides -rpcport. Use [host]:port notation for IPv6. This option can be specified multiple times (default: 127.0.0.1 and ::1 i.e., localhost)"));
604604
strUsage += HelpMessageOpt("-rpccookiefile=<loc>", _("Location of the auth cookie (default: data dir)"));
605605
strUsage += HelpMessageOpt("-rpcuser=<user>", _("Username for JSON-RPC connections"));
606606
strUsage += HelpMessageOpt("-rpcpassword=<pw>", _("Password for JSON-RPC connections"));

0 commit comments

Comments
 (0)