* Console:

- Fix several XSS issues (thx Aaron Portnoy of Exodus Intel) - Add Content-Security-Policy and X-XSS-Protection headers - Disable changing news feed URL from UI - Disable plugin install from UI - Disable setting unsigned update URL from UI - Disable /configadvanced * DataHelper: Disallow \r in storeProps() (thx joernchen of Phenoelit) * ExecNamingService: Disable (thx joernchen of Phenoelit) * Startup: Add susimail.config to migrated files
2014-07-26 09:32:26 +00:00
parent e9c8748c0b
commit af575d6c95
32 changed files with 124 additions and 61 deletions
--- a/apps/routerconsole/java/src/net/i2p/router/web/CSSHelper.java
+++ b/apps/routerconsole/java/src/net/i2p/router/web/CSSHelper.java
@ -57,7 +57,7 @@ public class CSSHelper extends HelperBase {
     */
    public void setLang(String lang) {
        // Protected with nonce in css.jsi
-        if (lang != null && lang.length() > 0) {
+        if (lang != null && lang.length() > 0 && lang.length() <= 6) {
            Map m = new HashMap(2);
            int under = lang.indexOf('_');
            if (under < 0) {
@ -105,9 +105,9 @@ public class CSSHelper extends HelperBase {
        try {
            if (Integer.parseInt(r) < MIN_REFRESH)
                r = "" + MIN_REFRESH;
+            _context.router().saveConfig(PROP_REFRESH, r);
        } catch (Exception e) {
        }
-        _context.router().saveConfig(PROP_REFRESH, r);
    }

    /** @return refresh time in seconds, as a string */
@ -117,6 +117,7 @@ public class CSSHelper extends HelperBase {
            if (Integer.parseInt(r) < MIN_REFRESH)
                r = "" + MIN_REFRESH;
        } catch (Exception e) {
+            r = "" + MIN_REFRESH;
        }
        return r;
    }