joinmarket Allow notifies coming from external hosts

Handy to use on a computer that doesn't host the bitcoind node (like a RPi).

Oct 21 '16 11:10 paoloaga

All PRs against develop branch please.

Oct 21 '16 11:10 AdamISZ

Ok, next time I will push there. Anyway this is just a very brief patch (just a string in the code). Not sure if it's worth it to make another PR. If you think it's valid, just insert it in the next release. Thanks.

Oct 23 '16 00:10 paoloaga

It should be possible to change the PR destination without closing it and opening a new one.

Oct 24 '16 13:10 chris-belcher

I found the feature, thanks. Is it all right now?

Oct 24 '16 15:10 paoloaga

OK, cool, @chris-belcher do you ACK? (sorry for trivial question but I know you actually thought about this, I didn't :)) If you merge please use github-merge.py to sign the merge commit, else I can do it.

Oct 24 '16 16:10 AdamISZ

utACK

This does make scripts slightly more vulnerable to grinding induced by other computers, but I think that people running JM with ports forwarded should know what they're doing. Also, I don't see that this creates dangers beyond merely consuming extra resources, in which case the operator could stop forwarding ports and use an SSH tunnel instead.

Further thoughts, @chris-belcher ?

Oct 24 '16 17:10 adlai

Yes I think its good. utACK.

About a year ago we had a vulnerability which involved passing strings from the http server to system(). Since then that part was changed to use urllib which doesn't pose such a serious security risk.

Oct 26 '16 22:10 chris-belcher

I'm amending my position to NACK, because this does open up more avenues for grinding or even worse vulnerabilities. Off the top of my head I can't think of how to exploit this, but why make life easier for enemies?

I'll ACK a version of this which lets the user configure the binding host, but leaves the default as localhost (or 127.0.0.1, which I believe has the same effect).

Oct 27 '16 16:10 adlai