Console: Fix UTF-8 passwords

Partial fix for UTF-8 usernames Better input checking and help messages
2016-05-08 19:49:14 +00:00
parent 8bb6922e80
commit 6b578dfd8c
5 changed files with 68 additions and 10 deletions
--- a/apps/routerconsole/java/src/net/i2p/router/web/ConfigUIHandler.java
+++ b/apps/routerconsole/java/src/net/i2p/router/web/ConfigUIHandler.java
@ -5,6 +5,8 @@ import java.util.HashMap;
 import java.util.List;
 import java.util.Map;

+import net.i2p.data.DataHelper;
+
 /** set the theme */
 public class ConfigUIHandler extends FormHandler {
    private boolean _shouldSave;
@ -80,6 +82,16 @@ public class ConfigUIHandler extends FormHandler {
            addFormError(_t("No user name entered"));
            return;
        }
+        // XSS filters # and ; but not =
+        // We store the username as the part of an option key, so we can't handle '='
+        if (name.contains("=")) {
+            addFormError("User name may not contain '='");
+            return;
+        }
+        byte[] b1 = DataHelper.getUTF8(name);
+        byte[] b2 = DataHelper.getASCII(name);
+        if (!DataHelper.eq(b1, b2))
+            addFormError(_t("Warning: User names outside the ISO-8859-1 character set are not recommended. Support is not standardized and varies by browser."));
        String pw = getJettyString("nofilter_pw");
        if (pw == null || pw.length() <= 0) {
            addFormError(_t("No password entered"));
@ -91,6 +103,8 @@ public class ConfigUIHandler extends FormHandler {
            if (!_context.getBooleanProperty(RouterConsoleRunner.PROP_PW_ENABLE))
                _context.router().saveConfig(RouterConsoleRunner.PROP_PW_ENABLE, "true");
            addFormNotice(_t("Added user {0}", name));
+            addFormNotice(_t("To recover from a forgotten or non-working password, stop I2P, edit the file {0}, delete the line {1}, and restart I2P.",
+                             _context.router().getConfigFilename(), RouterConsoleRunner.PROP_PW_ENABLE + "=true"));
            addFormError(_t("Restart required to take effect"));
        } else {
            addFormError(_t("Error saving the configuration (applied but not saved) - please see the error logs."));
--- a/apps/routerconsole/java/src/net/i2p/router/web/RouterConsoleRunner.java
+++ b/apps/routerconsole/java/src/net/i2p/router/web/RouterConsoleRunner.java
@ -5,6 +5,7 @@ import java.io.File;
 import java.io.FilenameFilter;
 import java.io.IOException;
 import java.io.Serializable;
+import java.io.UnsupportedEncodingException;
 import java.net.InetAddress;
 import java.net.Inet4Address;
 import java.net.InetSocketAddress;
@ -838,16 +839,51 @@ public class RouterConsoleRunner implements RouterApp {
                HashLoginService realm = new HashLoginService(JETTY_REALM);
                sec.setLoginService(realm);
                sec.setAuthenticator(authenticator);
+                String[] role = new String[] {JETTY_ROLE};
                for (Map.Entry<String, String> e : userpw.entrySet()) {
                    String user = e.getKey();
                    String pw = e.getValue();
-                    realm.putUser(user, Credential.getCredential(MD5.__TYPE + pw), new String[] {JETTY_ROLE});
+                    Credential cred = Credential.getCredential(MD5.__TYPE + pw);
+                    realm.putUser(user, cred, role);
                    Constraint constraint = new Constraint(user, JETTY_ROLE);
                    constraint.setAuthenticate(true);
                    ConstraintMapping cm = new ConstraintMapping();
                    cm.setConstraint(constraint);
                    cm.setPathSpec("/");
                    constraints.add(cm);
+                    // Jetty does auth checking only with ISO-8859-1,
+                    // so register a 2nd and 3rd user with different encodings if necessary.
+                    // Might work, might not...
+                    // There's no standard and browser behavior varies.
+                    // Chrome sends UTF-8. Firefox doesn't send anything.
+                    // https://bugzilla.mozilla.org/show_bug.cgi?id=41489
+                    // see also RFC 7616/7617 (late 2015) and PasswordManager.md5Hex()
+                    byte[] b1 = DataHelper.getUTF8(user);
+                    byte[] b2 = DataHelper.getASCII(user);
+                    if (!DataHelper.eq(b1, b2)) {
+                        try {
+                            // each char truncated to 8 bytes
+                            String user2 = new String(b2, "ISO-8859-1");
+                            realm.putUser(user2, cred, role);
+                            constraint = new Constraint(user2, JETTY_ROLE);
+                            constraint.setAuthenticate(true);
+                            cm = new ConstraintMapping();
+                            cm.setConstraint(constraint);
+                            cm.setPathSpec("/");
+                            constraints.add(cm);
+
+                            // each UTF-8 byte as a char
+                            // this is what chrome does
+                            String user3 = new String(b1, "ISO-8859-1");
+                            realm.putUser(user3, cred, role);
+                            constraint = new Constraint(user3, JETTY_ROLE);
+                            constraint.setAuthenticate(true);
+                            cm = new ConstraintMapping();
+                            cm.setConstraint(constraint);
+                            cm.setPathSpec("/");
+                            constraints.add(cm);
+                        } catch (UnsupportedEncodingException uee) {}
+                    }
                }
            }
        }