6

How advisable is using the following code to query the bitcoin core as compared to using some python RPC library.

import os
btc_prefix = 'bitcoin-cli '

def getblockcount(btc_prefix):
    print("in getblockcount")
    cmd = ' '.join([btc_prefix, 'getblockcount'])
    response = os.popen(cmd).read()
    return int(response)
getblockcount(btc_prefix)

It is kind of a wrapper function for the core API's. What are the drawbacks/advantages of using the above code. Also, does it affect security in anyway.

Michael Folkson
  • 14,337
  • 3
  • 11
  • 45
Shabahat M. Ayubi
  • 1,479
  • 10
  • 25

1 Answers1

2

bitcoin-cli is just a wrapper for the RPC functions so you're essentially doing the same exact thing as an RPC call. Generally, using RPC is preferred since you don't have to rely on the bitcoin-cli executable being on the system and in your current path. This most likely won't work on windows, for example.

In general RPC is preferred because you can access it from other systems. With your program, you'll only be able to run it on the system that has bitcoin core installed whereas with RPC, you can run from other systems.

Jimmy Song
  • 7,709
  • 16
  • 35
  • 2
    It also has far lower overhead, as you don't need to start a new process for each request – Pieter Wuille Dec 21 '16 at 18:02
  • @PieterWuille What has a lower overhead? – Shabahat M. Ayubi Dec 23 '16 at 07:46
  • @Jimmy There isn't a security flaw as such in my approach ? – Shabahat M. Ayubi Dec 23 '16 at 07:50
  • 1
    Using bitcoin-cli is very slow. Use JSON-RPC from your program directly; it will be much more flexible and faster than using Bitcoin Core's wrapper binary. – Pieter Wuille Dec 23 '16 at 10:02
  • The security flaw in getblockcount is that an attacker can execute anything on your system (e.g. pass in btc_prefix as `rm -rf /`). I would strongly advise you use JSON-RPC which will only execute what you want. – Jimmy Song Dec 23 '16 at 20:00
  • @JimmySong But then as you mentioned that the approach I am using does not allow anyone accessing bitcoind remotely(which is required in my case). And it is an internal module not exposed to any API where you can pass btc_prefix. It is saved in a config file. Does it pose any similar security flaw given the conditions. – Shabahat M. Ayubi Dec 26 '16 at 13:42
  • If your internal app is locked down from a security perspective, then of course it's going to be secure whatever code you run on it. Generally, when you ask for a security audit, you assume some external party has access. – Jimmy Song Dec 26 '16 at 16:14