paymentrequest: be explicit about only allowing "addresses"

6 years ago · e059867314
3 changed files with 16 additions and 11 deletions
--- a/electrum/paymentrequest.py
+++ b/electrum/paymentrequest.py
@ -132,8 +132,12 @@ class PaymentRequest:
        self.details.ParseFromString(self.data.serialized_payment_details)
        self.outputs = []
        for o in self.details.outputs:
-            addr = transaction.get_address_from_output_script(o.script)[1]
+            type_, addr = transaction.get_address_from_output_script(o.script)
-            self.outputs.append(TxOutput(TYPE_ADDRESS, addr, o.amount))
+            if type_ != TYPE_ADDRESS:
                # TODO maybe rm restriction but then get_requestor and get_id need changes
                self.error = "only addresses are allowed as outputs"
                return
            self.outputs.append(TxOutput(type_, addr, o.amount))
        self.memo = self.details.memo
        self.payment_url = self.details.payment_url
@ -195,6 +199,9 @@ class PaymentRequest:
            verify = pubkey0.verify(sigBytes, x509.PREFIX_RSA_SHA256 + hashBytes)
        elif paymntreq.pki_type == "x509+sha1":
            verify = pubkey0.hashAndVerify(sigBytes, msgBytes)
        else:
            self.error = f"ERROR: unknown pki_type {paymntreq.pki_type} in Payment Request"
            return False
        if not verify:
            self.error = "ERROR: Invalid Signature for Payment Request Data"
            return False
--- a/electrum/transaction.py
+++ b/electrum/transaction.py
@ -1030,9 +1030,10 @@ class Transaction:
        if outputs:
            self._outputs.sort(key = lambda o: (o.value, self.pay_script(o.type, o.address)))
-    def serialize_output(self, output: TxOutput) -> str:
+    @classmethod
    def serialize_output(cls, output: TxOutput) -> str:
        s = int_to_hex(output.value, 8)
-        script = self.pay_script(output.type, output.address)
+        script = cls.pay_script(output.type, output.address)
        s += var_int(len(script)//2)
        s += script
        return s
--- a/electrum/util.py
+++ b/electrum/util.py
@ -444,8 +444,7 @@ def assert_str(*args):
        assert isinstance(x, str)
-
+def to_string(x, enc) -> str:
 def to_string(x, enc):
    if isinstance(x, (bytes, bytearray)):
        return x.decode(enc)
    if isinstance(x, str):
@ -453,7 +452,8 @@ def to_string(x, enc):
    else:
        raise TypeError("Not a string or bytes like object")
-def to_bytes(something, encoding='utf8'):
+
 def to_bytes(something, encoding='utf8') -> bytes:
    """
    cast string to bytes() like object, but for python2 support it's bytearray copy
    """
@ -471,16 +471,13 @@ bfh = bytes.fromhex
 hfu = binascii.hexlify
-def bh2u(x):
+def bh2u(x: bytes) -> str:
    """
    str with hex representation of a bytes-like object
    >>> x = bytes((1, 2, 10))
    >>> bh2u(x)
    '01020A'
    :param x: bytes
    :rtype: str
    """
    return hfu(x).decode('ascii')