5
How advisable is using the following code to query the bitcoin core as compared to using some python RPC library.
import os
btc_prefix = 'bitcoin-cli '
def getblockcount(btc_prefix):
print("in getblockcount")
cmd = ' '.join([btc_prefix, 'getblockcount'])
response = os.popen(cmd).read()
return int(response)
getblockcount(btc_prefix)
It is kind of a wrapper function for the core API's. What are the drawbacks/advantages of using the above code. Also, does it affect security in anyway.
2It also has far lower overhead, as you don't need to start a new process for each request – Pieter Wuille – 2016-12-21T18:02:23.363
@PieterWuille What has a lower overhead? – Shabahat M. Ayubi – 2016-12-23T07:46:32.543
@Jimmy There isn't a security flaw as such in my approach ? – Shabahat M. Ayubi – 2016-12-23T07:50:58.377
1Using bitcoin-cli is very slow. Use JSON-RPC from your program directly; it will be much more flexible and faster than using Bitcoin Core's wrapper binary. – Pieter Wuille – 2016-12-23T10:02:13.967
The security flaw in getblockcount is that an attacker can execute anything on your system (e.g. pass in btc_prefix as
rm -rf /). I would strongly advise you use JSON-RPC which will only execute what you want. – Jimmy Song – 2016-12-23T20:00:22.123@JimmySong But then as you mentioned that the approach I am using does not allow anyone accessing bitcoind remotely(which is required in my case). And it is an internal module not exposed to any API where you can pass btc_prefix. It is saved in a config file. Does it pose any similar security flaw given the conditions. – Shabahat M. Ayubi – 2016-12-26T13:42:04.313
If your internal app is locked down from a security perspective, then of course it's going to be secure whatever code you run on it. Generally, when you ask for a security audit, you assume some external party has access. – Jimmy Song – 2016-12-26T16:14:10.730