From ef119aad6829064b76ba86f5be97e72db5d494a7 Mon Sep 17 00:00:00 2001
From: Whit J <whitj00@users.noreply.github.com>
Date: Fri, 29 Aug 2014 17:07:59 -0700
Subject: [PATCH]  New issue Don't reveal whether password is <20 or >20
 characters in RPC

From Bitcoin Pull #4728

It seems bad to base a decision to delay on the password length, as it leaks a tiny bit of information.

This doesn't change DoS potential as it is trivial to hold up all RPC threads in another way for someone in the rpcallowip list.
---
 src/rpcserver.cpp | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/src/rpcserver.cpp b/src/rpcserver.cpp
index 31c73b539..c9a0bd378 100644
--- a/src/rpcserver.cpp
+++ b/src/rpcserver.cpp
@@ -827,11 +827,10 @@ void ServiceConnection(AcceptedConnection *conn)
         if (!HTTPAuthorized(mapHeaders))
         {
             LogPrintf("ThreadRPCServer incorrect password attempt from %s\n", conn->peer_address_to_string());
-            /* Deter brute-forcing short passwords.
+            /* Deter brute-forcing
                If this results in a DoS the user really
                shouldn't have their RPC port exposed. */
-            if (mapArgs["-rpcpassword"].size() < 20)
-                MilliSleep(250);
+            MilliSleep(250);
 
             conn->stream() << HTTPReply(HTTP_UNAUTHORIZED, "", false) << std::flush;
             break;