Fix #18

I went with an RPC blacklist instead. By default just "stop" is in it. Thanks @alecalve
7 years ago · dd8f137da3
2 changed files with 20 additions and 0 deletions
--- a/app/env.js
+++ b/app/env.js
@ -2,6 +2,10 @@ module.exports = {
 	cookiePassword: "0x000000000019d6689c085ae165831e934ff763ae46a2a6c172b3f1b60a8ce26f",
 	debug: false,

+	rpcBlacklist:[
+		"stop"
+	],
+
 	// Uncomment "bitcoind" below to automatically connect via RPC.
 	// Otherwise, you can manually connect via the UI.

--- a/routes/baseActionsRouter.js
+++ b/routes/baseActionsRouter.js
@ -412,6 +412,14 @@ router.post("/rpc-terminal", function(req, res) {
 		}
 	});

+	if (env.rpcBlacklist.includes(cmd)) {
+		res.write("Sorry, that RPC command is blacklisted. If this is your server, you may allow this command by removing it from the 'rpcBlacklist' setting in env.js.", function() {
+			res.end();
+		});
+
+		return;
+	}
+
 	client.cmd([{method:cmd, params:parsedParams}], function(err, result, resHeaders) {
 		console.log("Result[1]: " + JSON.stringify(result, null, 4));
 		console.log("Error[2]: " + JSON.stringify(err, null, 4));
@ -483,6 +491,14 @@ router.get("/rpc-browser", function(req, res) {

 					res.locals.argValues = argValues;

+					if (env.rpcBlacklist.includes(req.query.method)) {
+						res.locals.methodResult = "Sorry, that RPC command is blacklisted. If this is your server, you may allow this command by removing it from the 'rpcBlacklist' setting in env.js.";
+
+						res.render("browser");
+
+						return;
+					}
+
 					client.cmd([{method:req.query.method, params:argValues}], function(err3, result3, resHeaders3) {
 						if (err3) {
 							res.locals.methodResult = err3;