From 62ca5b0465b2d45453a14228b5dc51212fc05bb5 Mon Sep 17 00:00:00 2001 From: phm87 <31578435+phm87@users.noreply.github.com> Date: Sat, 27 Oct 2018 02:16:27 +0200 Subject: [PATCH 1/4] Update rawcoins.php --- web/yaamp/core/backend/rawcoins.php | 2 ++ 1 file changed, 2 insertions(+) diff --git a/web/yaamp/core/backend/rawcoins.php b/web/yaamp/core/backend/rawcoins.php index 8a289b249..fcb2b0747 100644 --- a/web/yaamp/core/backend/rawcoins.php +++ b/web/yaamp/core/backend/rawcoins.php @@ -455,6 +455,8 @@ function updateRawCoin($marketname, $symbol, $name='unknown') { if($symbol == 'BTC') return; + // Restrict $symbol and $name to strict defined set of characters (to protect from rogue exchange or DNS attack on exchange) + $coin = getdbosql('db_coins', "symbol=:symbol", array(':symbol'=>$symbol)); if(!$coin && YAAMP_CREATE_NEW_COINS) { From f52b2505418ecce4f739f55f609e2f3462f541c1 Mon Sep 17 00:00:00 2001 From: phm87 <31578435+phm87@users.noreply.github.com> Date: Sun, 28 Oct 2018 23:28:32 +0100 Subject: [PATCH 2/4] updateRawCoin : restrict charset of new coins TODO: test the regular expression for ticket or coin name with $ and _ --- web/yaamp/core/backend/rawcoins.php | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/web/yaamp/core/backend/rawcoins.php b/web/yaamp/core/backend/rawcoins.php index fcb2b0747..432ee492b 100644 --- a/web/yaamp/core/backend/rawcoins.php +++ b/web/yaamp/core/backend/rawcoins.php @@ -456,7 +456,15 @@ function updateRawCoin($marketname, $symbol, $name='unknown') if($symbol == 'BTC') return; // Restrict $symbol and $name to strict defined set of characters (to protect from rogue exchange or DNS attack on exchange) - + if (!empty($symbol) && preg_match('/[^A-Za-z0-9_$]/', $symbol)) { + debuglog("weird symbol $symbol from $marketname"); + return; + } + if (!empty($name) && preg_match('/[^A-Za-z0-9_$]/', $name)) { + debuglog("weird name $name for symbol $symbol from $marketname"); + return; + } + $coin = getdbosql('db_coins', "symbol=:symbol", array(':symbol'=>$symbol)); if(!$coin && YAAMP_CREATE_NEW_COINS) { From 6395fe419d50f02aaf99078a03e5fa219dcf6dd9 Mon Sep 17 00:00:00 2001 From: phm87 <31578435+phm87@users.noreply.github.com> Date: Mon, 29 Oct 2018 01:08:54 +0100 Subject: [PATCH 3/4] Update rawcoins.php --- web/yaamp/core/backend/rawcoins.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/web/yaamp/core/backend/rawcoins.php b/web/yaamp/core/backend/rawcoins.php index 432ee492b..115bf8137 100644 --- a/web/yaamp/core/backend/rawcoins.php +++ b/web/yaamp/core/backend/rawcoins.php @@ -456,11 +456,11 @@ function updateRawCoin($marketname, $symbol, $name='unknown') if($symbol == 'BTC') return; // Restrict $symbol and $name to strict defined set of characters (to protect from rogue exchange or DNS attack on exchange) - if (!empty($symbol) && preg_match('/[^A-Za-z0-9_$]/', $symbol)) { + if (!preg_match('/[^A-Za-z0-9_\$]/', $symbol)) { debuglog("weird symbol $symbol from $marketname"); return; } - if (!empty($name) && preg_match('/[^A-Za-z0-9_$]/', $name)) { + if (!preg_match('/[^A-Za-z0-9_\$]/', $name)) { debuglog("weird name $name for symbol $symbol from $marketname"); return; } From f73a4385d879bb8af5a20cf8da5edb81972cf2db Mon Sep 17 00:00:00 2001 From: phm87 <31578435+phm87@users.noreply.github.com> Date: Mon, 25 Feb 2019 21:21:50 +0100 Subject: [PATCH 4/4] Fix of condition (to test) & allow space in coin name Thank you to crackers for the testing and sorry for the problems due to my mistake. I will test my code before asking other pools to test it. --- web/yaamp/core/backend/rawcoins.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/web/yaamp/core/backend/rawcoins.php b/web/yaamp/core/backend/rawcoins.php index 115bf8137..2c5811090 100644 --- a/web/yaamp/core/backend/rawcoins.php +++ b/web/yaamp/core/backend/rawcoins.php @@ -456,11 +456,11 @@ function updateRawCoin($marketname, $symbol, $name='unknown') if($symbol == 'BTC') return; // Restrict $symbol and $name to strict defined set of characters (to protect from rogue exchange or DNS attack on exchange) - if (!preg_match('/[^A-Za-z0-9_\$]/', $symbol)) { + if (preg_match('/[^A-Za-z0-9_\$]/', $symbol)) { debuglog("weird symbol $symbol from $marketname"); return; } - if (!preg_match('/[^A-Za-z0-9_\$]/', $name)) { + if (preg_match('/[^A-Za-z0-9_\$ ]/', $name)) { debuglog("weird name $name for symbol $symbol from $marketname"); return; }