I2P_Developers/i2p.itoopie
3
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

standardized the spoof prevention:

Browse Source 
- set the nonce and noncePrev for the handler when rendering the form
- include the current nonce in the hidden parameter "nonce"
- include an "action" parameter (so we know we want to execute something and hence, validate the nonce, rather than just display the page)
- if the nonce submitted doesnt match what is set in the nonce or noncePrev when validating, its invalid.  refuse to process
This commit is contained in:
jrandom
2004-08-23 17:11:38 +00:00
committed by zzz
parent 9f7320fa67
commit bce5b44275
6 changed files with 65 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
apps/routerconsole/jsp/configadvanced.jsp
View File

@ -23,6 +23,11 @@
<i><jsp:getProperty name="formhandler" property="notices" /></i>
<form action="configadvanced.jsp" method="POST">
<% String prev = System.getProperty("net.i2p.router.web.ConfigAdvancedHandler.nonce");
if (prev != null) System.setProperty("net.i2p.router.web.ConfigAdvancedHandler.noncePrev", prev);
System.setProperty("net.i2p.router.web.ConfigAdvancedHandler.nonce", new java.util.Random().nextLong()+""); %>
<input type="hidden" name="nonce" value="<%=System.getProperty("net.i2p.router.web.ConfigAdvancedHandler.nonce")%>" />
<input type="hidden" name="action" value="blah" />
<textarea rows="20" cols="100" name="config"><jsp:getProperty name="advancedhelper" property="settings" /></textarea><br />
<input type="submit" name="shouldsave" value="Apply" /> <input type="reset" value="Cancel" /> <br />
<b>Force restart:</b> <input type="checkbox" name="restart" value="force" /> <i>(specify this