backport security updates: disable CORS and JSONRPC in gui

2018-01-12 15:10:59 +01:00
parent 24e3fab8af
commit af0715e476
2 changed files with 17 additions and 30 deletions
--- a/lib/daemon.py
+++ b/lib/daemon.py
@@ -29,7 +29,7 @@ import sys
 import time

 import jsonrpclib
-from jsonrpclib.SimpleJSONRPCServer import SimpleJSONRPCServer, SimpleJSONRPCRequestHandler
+from jsonrpclib.SimpleJSONRPCServer import SimpleJSONRPCServer

 from version import ELECTRUM_VERSION
 from network import Network
@@ -85,23 +85,9 @@ def get_server(config):
        time.sleep(1.0)


-
-class RequestHandler(SimpleJSONRPCRequestHandler):
-
-    def do_OPTIONS(self):
-        self.send_response(200)
-        self.end_headers()
-
-    def end_headers(self):
-        self.send_header("Access-Control-Allow-Headers",
-                         "Origin, X-Requested-With, Content-Type, Accept")
-        self.send_header("Access-Control-Allow-Origin", "*")
-        SimpleJSONRPCRequestHandler.end_headers(self)
-
-
 class Daemon(DaemonThread):

-    def __init__(self, config, fd):
+    def __init__(self, config, fd, is_gui):
        DaemonThread.__init__(self)
        self.config = config
        if config.get('offline'):
@@ -116,15 +102,13 @@ class Daemon(DaemonThread):
        self.gui = None
        self.wallets = {}
        # Setup JSONRPC server
-        self.cmd_runner = Commands(self.config, None, self.network)
-        self.init_server(config, fd)
+        self.init_server(config, fd, is_gui)

-    def init_server(self, config, fd):
+    def init_server(self, config, fd, is_gui):
        host = config.get('rpchost', '127.0.0.1')
        port = config.get('rpcport', 0)
        try:
-            server = SimpleJSONRPCServer((host, port), logRequests=False,
-                                         requestHandler=RequestHandler)
+            server = SimpleJSONRPCServer((host, port), logRequests=False)
        except:
            self.print_error('Warning: cannot initialize RPC server on host', host)
            self.server = None
@@ -132,14 +116,17 @@ class Daemon(DaemonThread):
            return
        os.write(fd, repr((server.socket.getsockname(), time.time())))
        os.close(fd)
-        server.timeout = 0.1
-        for cmdname in known_commands:
-            server.register_function(getattr(self.cmd_runner, cmdname), cmdname)
-        server.register_function(self.run_cmdline, 'run_cmdline')
-        server.register_function(self.ping, 'ping')
-        server.register_function(self.run_daemon, 'daemon')
-        server.register_function(self.run_gui, 'gui')
        self.server = server
+        server.timeout = 0.1
+        server.register_function(self.ping, 'ping')
+        if is_gui:
+            server.register_function(self.run_gui, 'gui')
+        else:
+            self.cmd_runner = Commands(self.config, None, self.network)
+            for cmdname in known_commands:
+                server.register_function(getattr(self.cmd_runner, cmdname), cmdname)
+            server.register_function(self.run_cmdline, 'run_cmdline')
+            server.register_function(self.run_daemon, 'daemon')

    def ping(self):
        return True