remove 'check_security_token' parameter. it is useless and dangerous if misused.

5 years ago · 9f49972c0d
parent c8d7401de0
commit 9f49972c0d
2 changed files with 4 additions and 3 deletions
--- a/server/json_rpc.cc
+++ b/server/json_rpc.cc
@ -62,7 +62,7 @@ namespace
 using json_spirit::find_value;


-js::Object call(const FunctionMap& fm, const js::Object& request, Context* context, bool check_security_token)
+js::Object call(const FunctionMap& fm, const js::Object& request, Context* context)
 {
 	int request_id = -1;
 	try
@ -74,7 +74,8 @@ js::Object call(const FunctionMap& fm, const js::Object& request, Context* conte
 		}
 		
 		const auto sec_token = find_value(request, "security_token");
-		if(check_security_token && (sec_token.type()!=js::str_type || context->verify_security_token(sec_token.get_str())==false) )
+		const std::string sec_token_s = (sec_token.type()==js::str_type ? sec_token.get_str() : std::string() ); // missing or non-string "security_token" --> empty string.
+		if( context->verify_security_token(sec_token_s)==false )
 		{
 			return make_error(JSON_RPC::INVALID_REQUEST, "Invalid request: Wrong security token.", request, request_id);
 		}
--- a/server/json_rpc.hh
+++ b/server/json_rpc.hh
@ -21,7 +21,7 @@ enum class JSON_RPC

 // parse the JSON-RPC 2.0 compatible "request", call the C function
 // and create an appropiate "response" object (containing a result or an error)
-js::Object call(const FunctionMap& fm, const js::Object& request, Context* context, bool check_security_token = true);
+js::Object call(const FunctionMap& fm, const js::Object& request, Context* context);

 // create a JSON-RPC 2.0 compatible result response object
 //js::Object make_result(const js::Value& result, int id);