From c050ef0814b920cb92f66a632046d084b31292e9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Peter=20=C5=A0urda?= Date: Tue, 13 Feb 2018 23:33:12 +0100 Subject: [PATCH] Messagetype attack mitigation - temporarily restrict messagetypes - use a new "Contact support" address --- src/bitmessageqt/support.py | 4 +++- src/messagetypes/__init__.py | 3 +++ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/src/bitmessageqt/support.py b/src/bitmessageqt/support.py index cea5ddc8..25c6113d 100644 --- a/src/bitmessageqt/support.py +++ b/src/bitmessageqt/support.py @@ -21,7 +21,8 @@ import state from version import softwareVersion # this is BM support address going to Peter Surda -SUPPORT_ADDRESS = 'BM-2cTkCtMYkrSPwFTpgcBrMrf5d8oZwvMZWK' +OLD_SUPPORT_ADDRESS = 'BM-2cTkCtMYkrSPwFTpgcBrMrf5d8oZwvMZWK' +SUPPORT_ADDRESS = 'BM-2cUdgkDDAahwPAU6oD2A7DnjqZz3hgY832' SUPPORT_LABEL = 'PyBitmessage support' SUPPORT_MY_LABEL = 'My new address' SUPPORT_SUBJECT = 'Support request' @@ -53,6 +54,7 @@ Connected hosts: {} ''' def checkAddressBook(myapp): + sqlExecute('''DELETE from addressbook WHERE address=?''', OLD_SUPPORT_ADDRESS) queryreturn = sqlQuery('''SELECT * FROM addressbook WHERE address=?''', SUPPORT_ADDRESS) if queryreturn == []: sqlExecute('''INSERT INTO addressbook VALUES (?,?)''', str(QtGui.QApplication.translate("Support", SUPPORT_LABEL)), SUPPORT_ADDRESS) diff --git a/src/messagetypes/__init__.py b/src/messagetypes/__init__.py index d9291013..1a5223df 100644 --- a/src/messagetypes/__init__.py +++ b/src/messagetypes/__init__.py @@ -11,6 +11,9 @@ class MsgBase(object): def constructObject(data): + whitelist = ["message"] + if data[""] not in whitelist: + return None try: m = import_module("messagetypes." + data[""]) classBase = getattr(m, data[""].title())