standardized the spoof prevention:

- set the nonce and noncePrev for the handler when rendering the form
- include the current nonce in the hidden parameter "nonce"
- include an "action" parameter (so we know we want to execute something and hence, validate the nonce, rather than just display the page)
- if the nonce submitted doesnt match what is set in the nonce or noncePrev when validating, its invalid.  refuse to process

apps/routerconsole/jsp/config.jsp

@@ -22,6 +22,12 @@
  <i><jsp:getProperty name="formhandler" property="notices" /></i>
 
  <form action="config.jsp" method="POST">
+ <% String prev = System.getProperty("net.i2p.router.web.ConfigNetHandler.nonce");
+    if (prev != null) System.setProperty("net.i2p.router.web.ConfigNetHandler.noncePrev", prev);
+    System.setProperty("net.i2p.router.web.ConfigNetHandler.nonce", new java.util.Random().nextLong()+""); %>
+ <input type="hidden" name="nonce" value="<%=System.getProperty("net.i2p.router.web.ConfigNetHandler.nonce")%>" />
+ <input type="hidden" name="action" value="blah" />
+
  <b>External hostname/IP address:</b> 
     <input name="hostname" type="text" size="32" value="<jsp:getProperty name="nethelper" property="hostname" />" />
     <input type="submit" name="guesshost" value="Guess" /><br />

apps/routerconsole/jsp/configadvanced.jsp

@@ -23,6 +23,11 @@
  <i><jsp:getProperty name="formhandler" property="notices" /></i>
  
  <form action="configadvanced.jsp" method="POST">
+ <% String prev = System.getProperty("net.i2p.router.web.ConfigAdvancedHandler.nonce");
+    if (prev != null) System.setProperty("net.i2p.router.web.ConfigAdvancedHandler.noncePrev", prev);
+    System.setProperty("net.i2p.router.web.ConfigAdvancedHandler.nonce", new java.util.Random().nextLong()+""); %>
+ <input type="hidden" name="nonce" value="<%=System.getProperty("net.i2p.router.web.ConfigAdvancedHandler.nonce")%>" />
+ <input type="hidden" name="action" value="blah" />
  <textarea rows="20" cols="100" name="config"><jsp:getProperty name="advancedhelper" property="settings" /></textarea><br />
  <input type="submit" name="shouldsave" value="Apply" /> <input type="reset" value="Cancel" /> <br />
  <b>Force restart:</b> <input type="checkbox" name="restart" value="force" /> <i>(specify this

apps/routerconsole/jsp/configclients.jsp

@@ -23,6 +23,11 @@
  <i><jsp:getProperty name="formhandler" property="notices" /></i>
  
  <form action="configclients.jsp" method="POST">
+ <% String prev = System.getProperty("net.i2p.router.web.ConfigClientsHandler.nonce");
+    if (prev != null) System.setProperty("net.i2p.router.web.ConfigClientsHandler.noncePrev", prev);
+    System.setProperty("net.i2p.router.web.ConfigClientsHandler.nonce", new java.util.Random().nextLong()+""); %>
+ <input type="hidden" name="nonce" value="<%=System.getProperty("net.i2p.router.web.ConfigClientsHandler.nonce")%>" />
+ <input type="hidden" name="action" value="blah" />
  <b>Estimated number of clients/destinations:</b> 
     <jsp:getProperty name="clientshelper" property="clientCountSelectBox" /><br />
  <b>Default number of inbound tunnels per client:</b>

apps/routerconsole/jsp/configlogging.jsp

@@ -22,6 +22,11 @@
  <i><jsp:getProperty name="formhandler" property="notices" /></i>
   
  <form action="configlogging.jsp" method="POST">
+ <% String prev = System.getProperty("net.i2p.router.web.ConfigLoggingHandler.nonce");
+    if (prev != null) System.setProperty("net.i2p.router.web.ConfigLoggingHandler.noncePrev", prev);
+    System.setProperty("net.i2p.router.web.ConfigLoggingHandler.nonce", new java.util.Random().nextLong()+""); %>
+ <input type="hidden" name="nonce" value="<%=System.getProperty("net.i2p.router.web.ConfigLoggingHandler.nonce")%>" />
+ <input type="hidden" name="action" value="blah" />
  <b>Logging filename:</b> 
     <input type="text" name="logfilename" size="40" value="<jsp:getProperty name="logginghelper" property="logFilePattern" />" /><br />
     <i>(the symbol '#' will be replaced during log rotation)</i><br />