forked from I2P_Developers/i2p.i2p
Console: Fix UTF-8 passwords
Partial fix for UTF-8 usernames Better input checking and help messages
This commit is contained in:
@ -463,6 +463,7 @@ public abstract class I2PTunnelHTTPClientBase extends I2PTunnelClientBase implem
|
||||
" realm=\"" + getRealm() + '"' +
|
||||
(isDigest ? ", nonce=\"" + getNonce() + "\"," +
|
||||
" algorithm=MD5," +
|
||||
" charset=UTF-8," + // RFC 7616/7617
|
||||
" qop=\"auth\"" +
|
||||
(isStale ? ", stale=true" : "")
|
||||
: "") +
|
||||
|
||||
@ -5,6 +5,8 @@ import java.util.HashMap;
|
||||
import java.util.List;
|
||||
import java.util.Map;
|
||||
|
||||
import net.i2p.data.DataHelper;
|
||||
|
||||
/** set the theme */
|
||||
public class ConfigUIHandler extends FormHandler {
|
||||
private boolean _shouldSave;
|
||||
@ -80,6 +82,16 @@ public class ConfigUIHandler extends FormHandler {
|
||||
addFormError(_t("No user name entered"));
|
||||
return;
|
||||
}
|
||||
// XSS filters # and ; but not =
|
||||
// We store the username as the part of an option key, so we can't handle '='
|
||||
if (name.contains("=")) {
|
||||
addFormError("User name may not contain '='");
|
||||
return;
|
||||
}
|
||||
byte[] b1 = DataHelper.getUTF8(name);
|
||||
byte[] b2 = DataHelper.getASCII(name);
|
||||
if (!DataHelper.eq(b1, b2))
|
||||
addFormError(_t("Warning: User names outside the ISO-8859-1 character set are not recommended. Support is not standardized and varies by browser."));
|
||||
String pw = getJettyString("nofilter_pw");
|
||||
if (pw == null || pw.length() <= 0) {
|
||||
addFormError(_t("No password entered"));
|
||||
@ -91,6 +103,8 @@ public class ConfigUIHandler extends FormHandler {
|
||||
if (!_context.getBooleanProperty(RouterConsoleRunner.PROP_PW_ENABLE))
|
||||
_context.router().saveConfig(RouterConsoleRunner.PROP_PW_ENABLE, "true");
|
||||
addFormNotice(_t("Added user {0}", name));
|
||||
addFormNotice(_t("To recover from a forgotten or non-working password, stop I2P, edit the file {0}, delete the line {1}, and restart I2P.",
|
||||
_context.router().getConfigFilename(), RouterConsoleRunner.PROP_PW_ENABLE + "=true"));
|
||||
addFormError(_t("Restart required to take effect"));
|
||||
} else {
|
||||
addFormError(_t("Error saving the configuration (applied but not saved) - please see the error logs."));
|
||||
|
||||
@ -5,6 +5,7 @@ import java.io.File;
|
||||
import java.io.FilenameFilter;
|
||||
import java.io.IOException;
|
||||
import java.io.Serializable;
|
||||
import java.io.UnsupportedEncodingException;
|
||||
import java.net.InetAddress;
|
||||
import java.net.Inet4Address;
|
||||
import java.net.InetSocketAddress;
|
||||
@ -838,16 +839,51 @@ public class RouterConsoleRunner implements RouterApp {
|
||||
HashLoginService realm = new HashLoginService(JETTY_REALM);
|
||||
sec.setLoginService(realm);
|
||||
sec.setAuthenticator(authenticator);
|
||||
String[] role = new String[] {JETTY_ROLE};
|
||||
for (Map.Entry<String, String> e : userpw.entrySet()) {
|
||||
String user = e.getKey();
|
||||
String pw = e.getValue();
|
||||
realm.putUser(user, Credential.getCredential(MD5.__TYPE + pw), new String[] {JETTY_ROLE});
|
||||
Credential cred = Credential.getCredential(MD5.__TYPE + pw);
|
||||
realm.putUser(user, cred, role);
|
||||
Constraint constraint = new Constraint(user, JETTY_ROLE);
|
||||
constraint.setAuthenticate(true);
|
||||
ConstraintMapping cm = new ConstraintMapping();
|
||||
cm.setConstraint(constraint);
|
||||
cm.setPathSpec("/");
|
||||
constraints.add(cm);
|
||||
// Jetty does auth checking only with ISO-8859-1,
|
||||
// so register a 2nd and 3rd user with different encodings if necessary.
|
||||
// Might work, might not...
|
||||
// There's no standard and browser behavior varies.
|
||||
// Chrome sends UTF-8. Firefox doesn't send anything.
|
||||
// https://bugzilla.mozilla.org/show_bug.cgi?id=41489
|
||||
// see also RFC 7616/7617 (late 2015) and PasswordManager.md5Hex()
|
||||
byte[] b1 = DataHelper.getUTF8(user);
|
||||
byte[] b2 = DataHelper.getASCII(user);
|
||||
if (!DataHelper.eq(b1, b2)) {
|
||||
try {
|
||||
// each char truncated to 8 bytes
|
||||
String user2 = new String(b2, "ISO-8859-1");
|
||||
realm.putUser(user2, cred, role);
|
||||
constraint = new Constraint(user2, JETTY_ROLE);
|
||||
constraint.setAuthenticate(true);
|
||||
cm = new ConstraintMapping();
|
||||
cm.setConstraint(constraint);
|
||||
cm.setPathSpec("/");
|
||||
constraints.add(cm);
|
||||
|
||||
// each UTF-8 byte as a char
|
||||
// this is what chrome does
|
||||
String user3 = new String(b1, "ISO-8859-1");
|
||||
realm.putUser(user3, cred, role);
|
||||
constraint = new Constraint(user3, JETTY_ROLE);
|
||||
constraint.setAuthenticate(true);
|
||||
cm = new ConstraintMapping();
|
||||
cm.setConstraint(constraint);
|
||||
cm.setPathSpec("/");
|
||||
constraints.add(cm);
|
||||
} catch (UnsupportedEncodingException uee) {}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@ -1873,7 +1873,9 @@ public class DataHelper {
|
||||
* Roughly the same as orig.getBytes("ISO-8859-1") but much faster and
|
||||
* will not throw an exception.
|
||||
*
|
||||
* @param orig non-null, must be 7-bit chars
|
||||
* Warning - misnamed, converts to ISO-8859-1.
|
||||
*
|
||||
* @param orig non-null, truncates to 8-bit chars
|
||||
* @since 0.9.5
|
||||
*/
|
||||
public static byte[] getASCII(String orig) {
|
||||
|
||||
@ -30,7 +30,7 @@ public class PasswordManager {
|
||||
protected static final String PROP_PW = ".password";
|
||||
/** stored obfuscated as b64 of the UTF-8 bytes */
|
||||
protected static final String PROP_B64 = ".b64";
|
||||
/** stored as the hex of the MD5 hash of the ISO-8859-1 bytes. Compatible with Jetty. */
|
||||
/** stored as the hex of the MD5 hash of the UTF-8 bytes. Compatible with Jetty. */
|
||||
protected static final String PROP_MD5 = ".md5";
|
||||
/** stored as a Unix crypt string */
|
||||
protected static final String PROP_CRYPT = ".crypt";
|
||||
@ -185,6 +185,10 @@ public class PasswordManager {
|
||||
* Will return the MD5 sum of "user:subrealm:pw", compatible with Jetty
|
||||
* and RFC 2617.
|
||||
*
|
||||
* Updated in 0.9.26 to use UTF-8, as implied in RFC 7616/7617
|
||||
* See also http://stackoverflow.com/questions/7242316/what-encoding-should-i-use-for-http-basic-authentication
|
||||
* http://stackoverflow.com/questions/702629/utf-8-characters-mangled-in-http-basic-auth-username
|
||||
*
|
||||
* @param subrealm to be used in creating the checksum
|
||||
* @param user non-null, non-empty, already trimmed
|
||||
* @param pw non-null, plain text, already trimmed
|
||||
@ -200,17 +204,18 @@ public class PasswordManager {
|
||||
* Will return the MD5 sum of the data, compatible with Jetty
|
||||
* and RFC 2617.
|
||||
*
|
||||
* Updated in 0.9.26 to use UTF-8, as implied in RFC 7616/7617
|
||||
* See also http://stackoverflow.com/questions/7242316/what-encoding-should-i-use-for-http-basic-authentication
|
||||
*
|
||||
* @param fullpw non-null, plain text, already trimmed
|
||||
* @return lower-case hex with leading zeros, 32 chars, or null on error
|
||||
*/
|
||||
public static String md5Hex(String fullpw) {
|
||||
try {
|
||||
byte[] data = fullpw.getBytes("ISO-8859-1");
|
||||
byte[] data = DataHelper.getUTF8(fullpw);
|
||||
byte[] sum = md5Sum(data);
|
||||
if (sum != null)
|
||||
// adds leading zeros if necessary
|
||||
return DataHelper.toString(sum);
|
||||
} catch (UnsupportedEncodingException uee) {}
|
||||
return null;
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user