I2P_Developers/i2p.itoopie
3
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

standardized the spoof prevention:

Browse Source 
- set the nonce and noncePrev for the handler when rendering the form
- include the current nonce in the hidden parameter "nonce"
- include an "action" parameter (so we know we want to execute something and hence, validate the nonce, rather than just display the page)
- if the nonce submitted doesnt match what is set in the nonce or noncePrev when validating, its invalid.  refuse to process
This commit is contained in:
jrandom
2004-08-23 17:11:38 +00:00
committed by zzz
parent 9f7320fa67
commit bce5b44275
6 changed files with 65 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
apps/routerconsole/jsp/config.jsp
View File

@ -22,6 +22,12 @@
<i><jsp:getProperty name="formhandler" property="notices" /></i>
<form action="config.jsp" method="POST">
<% String prev = System.getProperty("net.i2p.router.web.ConfigNetHandler.nonce");
if (prev != null) System.setProperty("net.i2p.router.web.ConfigNetHandler.noncePrev", prev);
System.setProperty("net.i2p.router.web.ConfigNetHandler.nonce", new java.util.Random().nextLong()+""); %>
<input type="hidden" name="nonce" value="<%=System.getProperty("net.i2p.router.web.ConfigNetHandler.nonce")%>" />
<input type="hidden" name="action" value="blah" />
<b>External hostname/IP address:</b>
<input name="hostname" type="text" size="32" value="<jsp:getProperty name="nethelper" property="hostname" />" />
<input type="submit" name="guesshost" value="Guess" /><br />