From 90184658a7ed095816d038755bf0210033250791 Mon Sep 17 00:00:00 2001
From: debris <marek.kotewicz@gmail.com>
Date: Mon, 22 Feb 2016 13:41:38 +0100
Subject: [PATCH] jsonrpc security, cors headers, fixed #359

---
 Cargo.lock        |  5 +++--
 parity/main.rs    | 16 +++++++++-------
 rpc/Cargo.toml    |  2 +-
 rpc/src/lib.rs.in |  4 ++--
 4 files changed, 15 insertions(+), 12 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index cf747f3cc..8be46a773 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -206,7 +206,7 @@ dependencies = [
  "ethcore-util 0.9.99",
  "ethsync 0.9.99",
  "jsonrpc-core 1.1.4 (registry+https://github.com/rust-lang/crates.io-index)",
- "jsonrpc-http-server 1.1.2 (registry+https://github.com/rust-lang/crates.io-index)",
+ "jsonrpc-http-server 2.0.0 (registry+https://github.com/rust-lang/crates.io-index)",
  "rustc-serialize 0.3.18 (registry+https://github.com/rust-lang/crates.io-index)",
  "serde 0.6.14 (registry+https://github.com/rust-lang/crates.io-index)",
  "serde_codegen 0.6.14 (registry+https://github.com/rust-lang/crates.io-index)",
@@ -373,11 +373,12 @@ dependencies = [
 
 [[package]]
 name = "jsonrpc-http-server"
-version = "1.1.2"
+version = "2.0.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 dependencies = [
  "hyper 0.7.2 (registry+https://github.com/rust-lang/crates.io-index)",
  "jsonrpc-core 1.1.4 (registry+https://github.com/rust-lang/crates.io-index)",
+ "unicase 1.2.1 (registry+https://github.com/rust-lang/crates.io-index)",
 ]
 
 [[package]]
diff --git a/parity/main.rs b/parity/main.rs
index f4b7880ab..2e86608ef 100644
--- a/parity/main.rs
+++ b/parity/main.rs
@@ -52,7 +52,7 @@ use ethsync::EthSync;
 use docopt::Docopt;
 use daemonize::Daemonize;
 
-const USAGE: &'static str = "
+const USAGE: &'static str = r#"
 Parity. Ethereum Client.
   By Wood/Paronyan/Kotewicz/Drwięga/Volf.
   Copyright 2015, 2016 Ethcore (UK) Limited
@@ -71,8 +71,8 @@ Options:
   --listen-address URL     Specify the IP/port on which to listen for peers [default: 0.0.0.0:30304].
   --public-address URL     Specify the IP/port on which peers may connect.
   --address URL            Equivalent to --listen-address URL --public-address URL.
-  --peers NUM  	           Try to manintain that many peers [default: 25].
-  --no-discovery   	       Disable new peer discovery.
+  --peers NUM              Try to manintain that many peers [default: 25].
+  --no-discovery           Disable new peer discovery.
   --upnp                   Use UPnP to try to figure out the correct network settings.
   --node-key KEY           Specify node secret key as hex string.
 
@@ -81,11 +81,12 @@ Options:
 
   -j --jsonrpc             Enable the JSON-RPC API sever.
   --jsonrpc-url URL        Specify URL for JSON-RPC API server [default: 127.0.0.1:8545].
+  --jsonrpc-cors URL       Specify CORS header for JSON-RPC API responses [default: null].
 
   -l --logging LOGGING     Specify the logging level.
   -v --version             Show information about version.
   -h --help                Show this screen.
-";
+"#;
 
 #[derive(Debug, RustcDecodable)]
 struct Args {
@@ -107,6 +108,7 @@ struct Args {
 	flag_cache_max_size: usize,
 	flag_jsonrpc: bool,
 	flag_jsonrpc_url: String,
+	flag_jsonrpc_cors: String,
 	flag_logging: Option<String>,
 	flag_version: bool,
 }
@@ -127,7 +129,7 @@ fn setup_log(init: &Option<String>) {
 }
 
 #[cfg(feature = "rpc")]
-fn setup_rpc_server(client: Arc<Client>, sync: Arc<EthSync>, url: &str) {
+fn setup_rpc_server(client: Arc<Client>, sync: Arc<EthSync>, url: &str, cors_domain: &str) {
 	use rpc::v1::*;
 
 	let mut server = rpc::HttpServer::new(1);
@@ -135,7 +137,7 @@ fn setup_rpc_server(client: Arc<Client>, sync: Arc<EthSync>, url: &str) {
 	server.add_delegate(EthClient::new(client.clone(), sync.clone()).to_delegate());
 	server.add_delegate(EthFilterClient::new(client).to_delegate());
 	server.add_delegate(NetClient::new(sync).to_delegate());
-	server.start_async(url);
+	server.start_async(url, cors_domain);
 }
 
 #[cfg(not(feature = "rpc"))]
@@ -279,7 +281,7 @@ impl Configuration {
 
 		// Setup rpc
 		if self.args.flag_jsonrpc {
-			setup_rpc_server(service.client(), sync.clone(), &self.args.flag_jsonrpc_url);
+			setup_rpc_server(service.client(), sync.clone(), &self.args.flag_jsonrpc_url, &self.args.flag_jsonrpc_cors);
 		}
 
 		// Register IO handler
diff --git a/rpc/Cargo.toml b/rpc/Cargo.toml
index be06316a4..1394c206f 100644
--- a/rpc/Cargo.toml
+++ b/rpc/Cargo.toml
@@ -12,7 +12,7 @@ build = "build.rs"
 serde = "0.6.7"
 serde_json = "0.6.0"
 jsonrpc-core = "1.1"
-jsonrpc-http-server = "1.1"
+jsonrpc-http-server = "2.0"
 ethcore-util = { path = "../util" }
 ethcore = { path = "../ethcore" }
 ethsync = { path = "../sync" }
diff --git a/rpc/src/lib.rs.in b/rpc/src/lib.rs.in
index f09a25be8..e17f2b3bb 100644
--- a/rpc/src/lib.rs.in
+++ b/rpc/src/lib.rs.in
@@ -23,8 +23,8 @@ impl HttpServer {
 	}
 
 	/// Start server asynchronously in new thread
-	pub fn start_async(self, addr: &str) {
+	pub fn start_async(self, addr: &str, cors_domain: &str) {
 		let server = jsonrpc_http_server::Server::new(self.handler, self.threads);
-		server.start_async(addr)
+		server.start_async(addr, jsonrpc_http_server::AccessControlAllowOrigin::Value(cors_domain.to_owned()))
 	}
 }