From 9b5c8a31aa4e449ec22f23d6ad4bb3ad27b182c4 Mon Sep 17 00:00:00 2001
From: Dan Janosik <janoside@gmail.com>
Date: Thu, 24 May 2018 11:59:19 -0400
Subject: [PATCH] Stronger validation of rpc commands against blacklist. Fixes
 #33

---
 routes/baseActionsRouter.js | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/routes/baseActionsRouter.js b/routes/baseActionsRouter.js
index e364a20..d6c699e 100644
--- a/routes/baseActionsRouter.js
+++ b/routes/baseActionsRouter.js
@@ -493,7 +493,7 @@ router.post("/rpc-terminal", function(req, res) {
 		}
 	}
 
-	var params = req.body.cmd.split(" ");
+	var params = req.body.cmd.trim().split(/\s+/);
 	var cmd = params.shift();
 	var parsedParams = [];
 
@@ -506,7 +506,7 @@ router.post("/rpc-terminal", function(req, res) {
 		}
 	});
 
-	if (env.rpcBlacklist.includes(cmd)) {
+	if (env.rpcBlacklist.includes(cmd.toLowerCase())) {
 		res.write("Sorry, that RPC command is blacklisted. If this is your server, you may allow this command by removing it from the 'rpcBlacklist' setting in env.js.", function() {
 			res.end();
 		});
@@ -599,7 +599,7 @@ router.get("/rpc-browser", function(req, res) {
 
 					res.locals.argValues = argValues;
 
-					if (env.rpcBlacklist.includes(req.query.method)) {
+					if (env.rpcBlacklist.includes(req.query.method.toLowerCase())) {
 						res.locals.methodResult = "Sorry, that RPC command is blacklisted. If this is your server, you may allow this command by removing it from the 'rpcBlacklist' setting in env.js.";
 
 						res.render("browser");