From d37c813a43166f559a4e2d1c22e7243f70301291 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jo=C3=A3o=20Barbosa?= <joao.paulo.barbosa@gmail.com>
Date: Mon, 16 Nov 2020 23:53:36 +0000
Subject: [PATCH 1/3] rpc: Refactor to process -rpcauth once

---
 src/httprpc.cpp | 19 ++++++++++---------
 1 file changed, 10 insertions(+), 9 deletions(-)

diff --git a/src/httprpc.cpp b/src/httprpc.cpp
index f1b99973711..f3b2619dbd7 100644
--- a/src/httprpc.cpp
+++ b/src/httprpc.cpp
@@ -68,6 +68,8 @@ private:
 static std::string strRPCUserColonPass;
 /* Stored RPC timer interface (for unregistration) */
 static std::unique_ptr<HTTPRPCTimerInterface> httpRPCTimerInterface;
+/* List of -rpcauth values */
+static std::vector<std::vector<std::string>> g_rpcauth;
 /* RPC Auth Whitelist */
 static std::map<std::string, std::set<std::string>> g_rpc_whitelist;
 static bool g_rpc_whitelist_default = false;
@@ -99,15 +101,7 @@ static bool multiUserAuthorized(std::string strUserPass)
     std::string strUser = strUserPass.substr(0, strUserPass.find(':'));
     std::string strPass = strUserPass.substr(strUserPass.find(':') + 1);
 
-    for (const std::string& strRPCAuth : gArgs.GetArgs("-rpcauth")) {
-        //Search for multi-user login/pass "rpcauth" from config
-        std::vector<std::string> vFields;
-        boost::split(vFields, strRPCAuth, boost::is_any_of(":$"));
-        if (vFields.size() != 3) {
-            //Incorrect formatting in config file
-            continue;
-        }
-
+    for (const auto& vFields : g_rpcauth) {
         std::string strName = vFields[0];
         if (!TimingResistantEqual(strName, strUser)) {
             continue;
@@ -259,6 +253,13 @@ static bool InitRPCAuthentication()
     if (gArgs.GetArg("-rpcauth","") != "")
     {
         LogPrintf("Using rpcauth authentication.\n");
+        for (std::string rpcauth : gArgs.GetArgs("-rpcauth")) {
+            std::vector<std::string> fields;
+            boost::split(fields, rpcauth, boost::is_any_of(":$"));
+            if (fields.size() == 3) {
+                g_rpcauth.push_back(fields);
+            }
+        }
     }
 
     g_rpc_whitelist_default = gArgs.GetBoolArg("-rpcwhitelistdefault", gArgs.IsArgSet("-rpcwhitelist"));

From 46001323b1f4a57d8d6805f1bc39a5b8d401f0c5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jo=C3=A3o=20Barbosa?= <joao.paulo.barbosa@gmail.com>
Date: Mon, 23 Nov 2020 12:00:50 +0000
Subject: [PATCH 2/3] rpc: Validate -rpcauth arguments

---
 src/httprpc.cpp              |  5 ++++-
 test/functional/rpc_users.py | 11 +++++++++--
 2 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/src/httprpc.cpp b/src/httprpc.cpp
index f3b2619dbd7..cb8b220895c 100644
--- a/src/httprpc.cpp
+++ b/src/httprpc.cpp
@@ -253,11 +253,14 @@ static bool InitRPCAuthentication()
     if (gArgs.GetArg("-rpcauth","") != "")
     {
         LogPrintf("Using rpcauth authentication.\n");
-        for (std::string rpcauth : gArgs.GetArgs("-rpcauth")) {
+        for (const std::string& rpcauth : gArgs.GetArgs("-rpcauth")) {
             std::vector<std::string> fields;
             boost::split(fields, rpcauth, boost::is_any_of(":$"));
             if (fields.size() == 3) {
                 g_rpcauth.push_back(fields);
+            } else {
+                LogPrintf("Invalid -rpcauth argument.\n");
+                return false;
             }
         }
     }
diff --git a/test/functional/rpc_users.py b/test/functional/rpc_users.py
index daf02fc4f3d..108af2cac8d 100755
--- a/test/functional/rpc_users.py
+++ b/test/functional/rpc_users.py
@@ -99,11 +99,18 @@ class HTTPBasicsTest(BitcoinTestFramework):
 
         self.test_auth(self.nodes[1], self.rpcuser, self.rpcpassword)
 
-        self.log.info('Check that failure to write cookie file will abort the node gracefully')
+        init_error = 'Error: Unable to start HTTP server. See debug log for details.'
+
+        self.log.info('Check -rpcauth are validated')
+        # Empty -rpcauth= are ignored
+        self.restart_node(0, extra_args=['-rpcauth='])
         self.stop_node(0)
+        self.nodes[0].assert_start_raises_init_error(expected_msg=init_error, extra_args=['-rpcauth=foo'])
+        self.nodes[0].assert_start_raises_init_error(expected_msg=init_error, extra_args=['-rpcauth=foo:bar'])
+
+        self.log.info('Check that failure to write cookie file will abort the node gracefully')
         cookie_file = os.path.join(get_datadir_path(self.options.tmpdir, 0), self.chain, '.cookie.tmp')
         os.mkdir(cookie_file)
-        init_error = 'Error: Unable to start HTTP server. See debug log for details.'
         self.nodes[0].assert_start_raises_init_error(expected_msg=init_error)
 
 

From 053b4fbad8729308774d5e7b53f53c12627fa88b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jo=C3=A3o=20Barbosa?= <joao.paulo.barbosa@gmail.com>
Date: Mon, 23 Nov 2020 20:58:31 +0000
Subject: [PATCH 3/3] doc: Release note regarding -rpcauth validation

---
 doc/release-notes.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/doc/release-notes.md b/doc/release-notes.md
index 57067138b0d..10d859395c9 100644
--- a/doc/release-notes.md
+++ b/doc/release-notes.md
@@ -80,6 +80,8 @@ Updated settings
 
 Changes to Wallet or GUI related settings can be found in the GUI or Wallet section below.
 
+- Passing an invalid `-rpcauth` argument now cause bitcoind to fail to start.  (#20461)
+
 Tools and Utilities
 -------------------