Fix potential XSS holes

2009-12-04 00:27:05 +00:00
parent c4e6148b9f
commit f5c1acc749
6 changed files with 18 additions and 7 deletions
--- a/apps/routerconsole/java/src/net/i2p/router/web/NetDbHelper.java
+++ b/apps/routerconsole/java/src/net/i2p/router/web/NetDbHelper.java
@ -4,6 +4,7 @@ import java.io.ByteArrayOutputStream;
 import java.io.IOException;
 import java.io.OutputStreamWriter;
 import net.i2p.data.DataHelper;
 public class NetDbHelper extends HelperBase {
    private String _routerPrefix;
@ -12,7 +13,10 @@ public class NetDbHelper extends HelperBase {
    public NetDbHelper() {}
-    public void setRouter(String r) { _routerPrefix = r; }
+    public void setRouter(String r) {
        _routerPrefix = DataHelper.stripHTML(r);  // XSS
    }
    public void setFull(String f) {
        try {
            _full = Integer.parseInt(f);
--- a/apps/routerconsole/jsp/configpeer.jsp
+++ b/apps/routerconsole/jsp/configpeer.jsp
@ -24,7 +24,7 @@
 <% String peer = "";
    if (request.getParameter("peer") != null)
-        peer = request.getParameter("peer");
+        peer = net.i2p.data.DataHelper.stripHTML(request.getParameter("peer"));  // XSS
 %>
 <div class="configure">
 <form action="configpeer.jsp" method="POST">
--- a/apps/routerconsole/jsp/i2ptunnel/index.jsp
+++ b/apps/routerconsole/jsp/i2ptunnel/index.jsp
@ -3,5 +3,5 @@
 <meta http-equiv="pragma" content="no-cache" />
 </head>
 <body>
-The I2P Tunnel Manager is not currently running. Please visit the<a href="/configclients.jsp">Client Configuration</a> page to start it.
+The I2P Tunnel Manager is not currently running. Please visit the <a href="/configclients.jsp">Client Configuration</a> page to start it.
 </body></html>
--- a/apps/susidns/src/java/src/i2p/susi/dns/AddressbookBean.java
+++ b/apps/susidns/src/java/src/i2p/susi/dns/AddressbookBean.java
@ -35,6 +35,8 @@ import java.util.Iterator;
 import java.util.LinkedList;
 import java.util.Properties;
 import net.i2p.data.DataHelper;
 public class AddressbookBean
 {
 	private String book, action, serial, lastSerial, filter, search, hostname, destination;
@ -140,7 +142,7 @@ public class AddressbookBean
 		return book;
 	}
 	public void setBook(String book) {
-		this.book = book;
+		this.book = DataHelper.stripHTML(book);  // XSS
 	}
 	public String getSerial() {
 		lastSerial = "" + Math.random();
@ -326,7 +328,7 @@ public class AddressbookBean
 		return destination;
 	}
 	public void setDestination(String destination) {
-		this.destination = destination;
+		this.destination = DataHelper.stripHTML(destination);  // XSS
 	}
 	public String getHostname() {
 		return hostname;
@ -338,7 +340,7 @@ public class AddressbookBean
 		deletionMarks.addLast( name );
 	}
 	public void setHostname(String hostname) {
-		this.hostname = hostname;
+		this.hostname = DataHelper.stripHTML(hostname);  // XSS
 	}
 	private int getBeginInt() {
 		return Math.max(0, Math.min(entries.length - 1, beginIndex));
--- a/history.txt
+++ b/history.txt
@ -1,3 +1,8 @@
 2009-12-04 zzz
    * Console: Close up some possible XSS (thanks Pragmatk)
    * i2psnark: Config cleanup, more HTML transitional fixes
    * readme*.html: Point to translated pages on www.i2p2.i2p
 2009-11-29 zzz
    * config.jsp: Comment out unused stuff better
    * profiles.jsp: Hide non-ff from ff table
--- a/router/java/src/net/i2p/router/RouterVersion.java
+++ b/router/java/src/net/i2p/router/RouterVersion.java
@ -18,7 +18,7 @@ public class RouterVersion {
    /** deprecated */
    public final static String ID = "Monotone";
    public final static String VERSION = CoreVersion.VERSION;
-    public final static long BUILD = 24;
+    public final static long BUILD = 25;
    /** for example "-test" */
    public final static String EXTRA = "";
    public final static String FULL_VERSION = VERSION + "-" + BUILD + EXTRA;