fix: sanitize outputs

diff --git a/gui/qt/main_window.py b/gui/qt/main_window.py
index e2cb1f0..9620b6c 100644 (file)
--- a/gui/qt/main_window.py
+++ b/gui/qt/main_window.py
@@ -797,10 +797,22 @@ class ElectrumWindow(QMainWindow):
 
         if self.gui_object.payment_request:
             outputs = self.gui_object.payment_request.outputs
-            amount = self.gui_object.payment_request.get_amount()
         else:
             outputs = self.payto_e.get_outputs()
-            amount = sum(map(lambda x:x[1], outputs))
+
+        if not outputs:
+            QMessageBox.warning(self, _('Error'), _('No outputs'), _('OK'))
+            return
+
+        for addr, x in outputs:
+            if addr is None or not bitcoin.is_address(addr):
+                QMessageBox.warning(self, _('Error'), _('Invalid Bitcoin Address'), _('OK'))
+                return
+            if type(x) is not int:
+                QMessageBox.warning(self, _('Error'), _('Invalid Amount'), _('OK'))
+                return
+
+        amount = sum(map(lambda x:x[1], outputs))
 
         try:
             fee = self.fee_e.get_amount()

diff --git a/gui/qt/paytoedit.py b/gui/qt/paytoedit.py
index 1b9ae1b..6352fb4 100644 (file)
--- a/gui/qt/paytoedit.py
+++ b/gui/qt/paytoedit.py
@@ -41,6 +41,7 @@ class PayToEdit(QTextEdit):
         self.setMaximumHeight(27)
         self.c = None
         self.textChanged.connect(self.check_text)
+        self.outputs = []
 
     def lock_amount(self):
         self.amount_edit.setFrozen(True)
@@ -88,8 +89,15 @@ class PayToEdit(QTextEdit):
                 self.payto_address = self.parse_address(lines[0])
             except:
                 pass
+
             if self.payto_address:
                 self.unlock_amount()
+                try:
+                    amount = self.amount_edit.get_amount()
+                except:
+                    amount = None
+
+                self.outputs = [(self.payto_address, amount)]
                 return
 
         for line in lines:
@@ -115,24 +123,7 @@ class PayToEdit(QTextEdit):
             self.unlock_amount()
 
 
-
     def get_outputs(self):
-
-        if self.payto_address:
-            
-            if not bitcoin.is_address(self.payto_address):
-                QMessageBox.warning(self, _('Error'), _('Invalid Bitcoin Address') + ':\n' + self.payto_address, _('OK'))
-                return
-
-            try:
-                amount = self.amount_edit.get_amount()
-            except Exception:
-                QMessageBox.warning(self, _('Error'), _('Invalid Amount'), _('OK'))
-                return
-
-            outputs = [(self.payto_address, amount)]
-            return outputs
-
         return self.outputs
 
 

diff --git a/lib/paymentrequest.py b/lib/paymentrequest.py
index 7c68bc9..d970d49 100644 (file)
--- a/lib/paymentrequest.py
+++ b/lib/paymentrequest.py
@@ -57,9 +57,6 @@ class PaymentRequest:
         self.outputs = []
         self.error = ""
 
-    def get_amount(self):
-        return sum(map(lambda x:x[1], self.outputs))
-
 
     def verify(self):
         u = urlparse.urlparse(self.url)

diff --git a/lib/wallet.py b/lib/wallet.py
index d08dc4a..4664a50 100644 (file)
--- a/lib/wallet.py
+++ b/lib/wallet.py
@@ -118,7 +118,7 @@ class WalletStorage:
         with self.lock:
             if value is not None:
                 self.data[key] = value
-            else:
+            elif key in self.data:
                 self.data.pop(key)
             if save: 
                 self.write()