Merge bitcoin#20741: doc: Update 'Secure string handling'

laanwj · thelazier · commit 108022ba629c · 2021-09-25T12:22:29.000+07:00
7117d75 Update 'Secure string handling' (Prayank) Pull request description: - Add information about possible path traversal attack - [wallet_name](https://bitcoincore.org/en/doc/0.20.0/rpc/wallet/createwallet/) (string): _The name for the new wallet. If this is a 'path', the wallet will be created at the 'path' location._ Fixes bitcoin#20128 (Not really fixing it but workaround) This PR is an alternative to bitcoin#20393 ACKs for top commit: michaelfolkson: ACK 7117d75 RiccardoMasutti: ACK bitcoin@7117d75 benthecarman: ACK 7117d75 Tree-SHA512: 0d6c4f8db5feba848bbb583e87a99e6c4b655deaa2b566164e2632acc1aabf470d4626d2dc4b82c4997effc30d9b474d860d0e0d3e896648c5cc9bfdb623da6d
diff --git a/doc/JSON-RPC-interface.md b/doc/JSON-RPC-interface.md
@@ -88,13 +88,14 @@ RPC interface will be abused.
 - **Secure string handling:** The RPC interface does not guarantee any
   escaping of data beyond what's necessary to encode it as JSON,
   although it does usually provide serialized data using a hex
-  representation of the bytes.  If you use RPC data in your programs or
-  provide its data to other programs, you must ensure any problem
-  strings are properly escaped.  For example, multiple websites have
-  been manipulated because they displayed decoded hex strings that
-  included HTML `<script>` tags.  For this reason, and other
-  non-security reasons, it is recommended to display all serialized data
-  in hex form only.
+  representation of the bytes. If you use RPC data in your programs or
+  provide its data to other programs, you must ensure any problem strings
+  are properly escaped. For example, the `createwallet` RPC accepts
+  arguments such as `wallet_name` which is a string and could be used
+  for a path traversal attack without application level checks. Multiple
+  websites have been manipulated because they displayed decoded hex strings
+  that included HTML `<script>` tags. For this reason, and others, it is
+  recommended to display all serialized data in hex form only.
 
 ## RPC consistency guarantees
 
