User-facing string in GUI from untrusted source #16154

issue cculianu opened this issue on June 5, 2019
  1. cculianu commented at 5:54 PM on June 5, 2019: none

    See here: https://github.com/bitcoin/bitcoin/blob/758c6d784da0f191c408fda97b3071dd7e1fe8a0/src/qt/paymentserver.cpp#L718-L726

    This string ends up in the wallet UI on a failed response form the payment request server.

    IN light of recent phishing attempts on eg the Electrum network, it's probably not the best idea to show this error message in the GUI.

    Granted this is a corner case and the attack surface is exceedingly small -- it still probably should be handled.

    Best regards,

    -Calin

  2. cculianu cross-referenced this on Jun 5, 2019 from issue Leftover: Possibly unsafe / phishing hole in code (server side string shown to user) by cculianu
  3. cculianu cross-referenced this on Jun 5, 2019 from issue Potentially unsafe: GUI facing error message shows string from untrusted server source by cculianu
  4. fanquake added the label GUI on Jun 5, 2019
  5. bddap commented at 9:36 PM on June 26, 2019: none

    Is is it useful to check reply->errorString() against a whitelist of valid error messages? Should the message simply not be displayed?

  6. SomberNight cross-referenced this on Aug 28, 2019 from issue Server banners are "attacker-controlled" arbitrary text. Might be used for phishing. by wartjugger
  7. fanquake commented at 2:19 AM on February 4, 2020: member

    This code no longer exists.

  8. fanquake closed this on Feb 4, 2020
  9. bitcoin locked this on Feb 15, 2022
Contributors
cculianubddapfanquake
Labels
GUI
github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2026-05-19 06:54 UTC