* Console:

- Fix several XSS issues (thx Aaron Portnoy of Exodus Intel) - Add Content-Security-Policy and X-XSS-Protection headers - Disable changing news feed URL from UI - Disable plugin install from UI - Disable setting unsigned update URL from UI - Disable /configadvanced * DataHelper: Disallow \r in storeProps() (thx joernchen of Phenoelit) * ExecNamingService: Disable (thx joernchen of Phenoelit) * Startup: Add susimail.config to migrated files
2014-07-26 09:32:26 +00:00
parent e9c8748c0b
commit af575d6c95
32 changed files with 124 additions and 61 deletions
--- a/apps/i2psnark/java/src/org/klomp/snark/web/I2PSnarkServlet.java
+++ b/apps/i2psnark/java/src/org/klomp/snark/web/I2PSnarkServlet.java
@ -159,6 +159,8 @@ public class I2PSnarkServlet extends BasicServlet {
        // this is the part after /i2psnark
        String path = req.getServletPath();
        resp.setHeader("X-Frame-Options", "SAMEORIGIN");
        resp.setHeader("Content-Security-Policy", "default-src 'self'");
        resp.setHeader("X-XSS-Protection", "1; mode=block");
        String peerParam = req.getParameter("p");
        String stParam = req.getParameter("st");
@ -167,9 +169,10 @@ public class I2PSnarkServlet extends BasicServlet {
            peerParam.replaceAll("[a-zA-Z0-9~=-]", "").length() > 0) {  // XSS
            peerString = "";
        } else {
-            peerString = "?p=" + peerParam;
+            peerString = "?p=" + DataHelper.stripHTML(peerParam);
        }
        if (stParam != null && !stParam.equals("0")) {
            stParam = DataHelper.stripHTML(stParam);
            if (peerString.length() > 0)
                peerString += "&amp;st=" + stParam;
            else
--- a/apps/i2ptunnel/jsp/edit.jsp
+++ b/apps/i2ptunnel/jsp/edit.jsp
@ -2,6 +2,8 @@
    // NOTE: Do the header carefully so there is no whitespace before the <?xml... line
    response.setHeader("X-Frame-Options", "SAMEORIGIN");
    response.setHeader("Content-Security-Policy", "default-src 'self'");
    response.setHeader("X-XSS-Protection", "1; mode=block");
 %><%@page pageEncoding="UTF-8"
 %><%@page trimDirectiveWhitespaces="true"
--- a/apps/i2ptunnel/jsp/editClient.jsp
+++ b/apps/i2ptunnel/jsp/editClient.jsp
@ -52,10 +52,10 @@ input.default { width: 1px; height: 1px; visibility: hidden; }
                  %><h4><%=intl._("Edit proxy settings")%></h4><% 
                } else {
                    tunnelTypeName = editBean.getTypeName(request.getParameter("type"));
-                    tunnelType = request.getParameter("type");
+                    tunnelType = net.i2p.data.DataHelper.stripHTML(request.getParameter("type"));
                  %><h4><%=intl._("New proxy settings")%></h4><% 
                } %>
-                <input type="hidden" name="tunnel" value="<%=request.getParameter("tunnel")%>" />
+                <input type="hidden" name="tunnel" value="<%=curTunnel%>" />
                <input type="hidden" name="nonce" value="<%=editBean.getNextNonce()%>" />
                <input type="hidden" name="type" value="<%=tunnelType%>" />
                <input type="submit" class="default" name="action" value="Save changes" />
--- a/apps/i2ptunnel/jsp/editServer.jsp
+++ b/apps/i2ptunnel/jsp/editServer.jsp
@ -52,10 +52,10 @@ input.default { width: 1px; height: 1px; visibility: hidden; }
                  %><h4><%=intl._("Edit server settings")%></h4><% 
                } else {
                    tunnelTypeName = editBean.getTypeName(request.getParameter("type"));
-                    tunnelType = request.getParameter("type");
+                    tunnelType = net.i2p.data.DataHelper.stripHTML(request.getParameter("type"));
                  %><h4><%=intl._("New server settings")%></h4><% 
                } %>
-                <input type="hidden" name="tunnel" value="<%=request.getParameter("tunnel")%>" />
+                <input type="hidden" name="tunnel" value="<%=curTunnel%>" />
                <input type="hidden" name="nonce" value="<%=editBean.getNextNonce()%>" />
                <input type="hidden" name="type" value="<%=tunnelType%>" />
                <input type="submit" class="default" name="action" value="Save changes" />
--- a/apps/i2ptunnel/jsp/index.jsp
+++ b/apps/i2ptunnel/jsp/index.jsp
@ -6,6 +6,8 @@
        request.setCharacterEncoding("UTF-8");
    response.setHeader("X-Frame-Options", "SAMEORIGIN");
    response.setHeader("Content-Security-Policy", "default-src 'self'");
    response.setHeader("X-XSS-Protection", "1; mode=block");
 %><%@page pageEncoding="UTF-8"
 %><%@page trimDirectiveWhitespaces="true"
--- a/apps/i2ptunnel/jsp/wizard.jsp
+++ b/apps/i2ptunnel/jsp/wizard.jsp
@ -6,6 +6,8 @@
        request.setCharacterEncoding("UTF-8");
    response.setHeader("X-Frame-Options", "SAMEORIGIN");
    response.setHeader("Content-Security-Policy", "default-src 'self'");
    response.setHeader("X-XSS-Protection", "1; mode=block");
 %><%@page pageEncoding="UTF-8"
 %><%@page contentType="text/html" import="net.i2p.i2ptunnel.web.EditBean"
@ -39,6 +41,7 @@
   /* Fetch and format a couple of regularly-used values */
   boolean tunnelIsClient = Boolean.valueOf(request.getParameter("isClient"));
   String tunnelType = request.getParameter("type");
   tunnelType = net.i2p.data.DataHelper.stripHTML(tunnelType);
   /* Special case - don't display page 4 for server tunnels */
   if (curPage == 4 && !tunnelIsClient) {
     if ("Previous page".equals(request.getParameter("action"))) {
@ -224,17 +227,17 @@
                <label for="name" accesskey="N">
                    <%=intl._("Name")%>:(<span class="accessKey">N</span>)
                </label>
-                <input type="text" size="30" maxlength="50" name="name" id="name" title="Tunnel Name" value="<%=(!"null".equals(request.getParameter("name")) ? request.getParameter("name") : "" ) %>" class="freetext" />
+                <input type="text" size="30" maxlength="50" name="name" id="name" title="Tunnel Name" value="<%=(!"null".equals(request.getParameter("name")) ? net.i2p.data.DataHelper.stripHTML(request.getParameter("name")) : "" ) %>" class="freetext" />
            </div>
            <div id="descriptionField" class="rowItem">
                <label for="description" accesskey="e">
                    <%=intl._("Description")%>:(<span class="accessKey">E</span>)
                </label>
-                <input type="text" size="60" maxlength="80" name="description"  id="description" title="Tunnel Description" value="<%=(!"null".equals(request.getParameter("description")) ? request.getParameter("description") : "" ) %>" class="freetext" />
+                <input type="text" size="60" maxlength="80" name="description"  id="description" title="Tunnel Description" value="<%=(!"null".equals(request.getParameter("description")) ? net.i2p.data.DataHelper.stripHTML(request.getParameter("description")) : "" ) %>" class="freetext" />
            </div><%
            } else {
-            %><input type="hidden" name="name" value="<%=request.getParameter("name")%>" />
+            %><input type="hidden" name="name" value="<%=net.i2p.data.DataHelper.stripHTML(request.getParameter("name"))%>" />
-            <input type="hidden" name="description" value="<%=request.getParameter("description")%>" /><%
+            <input type="hidden" name="description" value="<%=net.i2p.data.DataHelper.stripHTML(request.getParameter("description"))%>" /><%
            } /* curPage 3 */
               /* End page 3 */ %>
@ -252,10 +255,10 @@
                <label for="proxyList" accesskey="x">
                    <%=intl._("Outproxies")%>(<span class="accessKey">x</span>):
                </label>
-                <input type="text" size="30" id="proxyList" name="proxyList" title="List of Outproxy I2P destinations" value="<%=(!"null".equals(request.getParameter("proxyList")) ? request.getParameter("proxyList") : "" ) %>" class="freetext" />
+                <input type="text" size="30" id="proxyList" name="proxyList" title="List of Outproxy I2P destinations" value="<%=(!"null".equals(request.getParameter("proxyList")) ? net.i2p.data.DataHelper.stripHTML(request.getParameter("proxyList")) : "" ) %>" class="freetext" />
            </div><%
                } else {
-            %><input type="hidden" name="proxyList" value="<%=request.getParameter("proxyList")%>" /><%
+            %><input type="hidden" name="proxyList" value="<%=net.i2p.data.DataHelper.stripHTML(request.getParameter("proxyList"))%>" /><%
                } /* curPage 4 */
              } else if ("client".equals(tunnelType) || "ircclient".equals(tunnelType) || "streamrclient".equals(tunnelType)) {
                if (curPage == 4) {
@ -267,7 +270,7 @@
                <label for="targetDestination" accesskey="T">
                    <%=intl._("Tunnel Destination")%>(<span class="accessKey">T</span>):
                </label>
-                <input type="text" size="30" id="targetDestination" name="targetDestination" title="Destination of the Tunnel" value="<%=(!"null".equals(request.getParameter("targetDestination")) ? request.getParameter("targetDestination") : "" ) %>" class="freetext" />
+                <input type="text" size="30" id="targetDestination" name="targetDestination" title="Destination of the Tunnel" value="<%=(!"null".equals(request.getParameter("targetDestination")) ? net.i2p.data.DataHelper.stripHTML(request.getParameter("targetDestination")) : "" ) %>" class="freetext" />
                <span class="comment">(<%=intl._("name, name:port, or destination")%>
                     <% if ("streamrclient".equals(tunnelType)) { /* deferred resolution unimplemented in streamr client */ %>
                         - <%=intl._("b32 not recommended")%>
@ -275,7 +278,7 @@
                </span>
            </div><%
                } else {
-            %><input type="hidden" name="targetDestination" value="<%=request.getParameter("targetDestination")%>" /><%
+            %><input type="hidden" name="targetDestination" value="<%=net.i2p.data.DataHelper.stripHTML(request.getParameter("targetDestination"))%>" /><%
                } /* curPage 4 */
              }
            } /* tunnelIsClient */
@ -294,10 +297,10 @@
                <label for="targetHost" accesskey="H">
                    <%=intl._("Host")%>(<span class="accessKey">H</span>):
                </label>
-                <input type="text" size="20" id="targetHost" name="targetHost" title="Target Hostname or IP" value="<%=(!"null".equals(request.getParameter("targetHost")) ? request.getParameter("targetHost") : "127.0.0.1" ) %>" class="freetext" />
+                <input type="text" size="20" id="targetHost" name="targetHost" title="Target Hostname or IP" value="<%=(!"null".equals(request.getParameter("targetHost")) ? net.i2p.data.DataHelper.stripHTML(request.getParameter("targetHost")) : "127.0.0.1" ) %>" class="freetext" />
            </div><%
              } else {
-            %><input type="hidden" name="targetHost" value="<%=request.getParameter("targetHost")%>" /><%
+            %><input type="hidden" name="targetHost" value="<%=net.i2p.data.DataHelper.stripHTML(request.getParameter("targetHost"))%>" /><%
              } /* curPage 5 */
            } /* streamrclient or !streamrserver */ %>
            <%
@ -310,10 +313,10 @@
                <label for="targetPort" accesskey="P">
                    <%=intl._("Port")%>(<span class="accessKey">P</span>):
                </label>
-                <input type="text" size="6" maxlength="5" id="targetPort" name="targetPort" title="Target Port Number" value="<%=(!"null".equals(request.getParameter("targetPort")) ? request.getParameter("targetPort") : "" ) %>" class="freetext" />
+                <input type="text" size="6" maxlength="5" id="targetPort" name="targetPort" title="Target Port Number" value="<%=(!"null".equals(request.getParameter("targetPort")) ? net.i2p.data.DataHelper.stripHTML(request.getParameter("targetPort")) : "" ) %>" class="freetext" />
            </div><%
              } else {
-            %><input type="hidden" name="targetPort" value="<%=request.getParameter("targetPort")%>" /><%
+            %><input type="hidden" name="targetPort" value="<%=net.i2p.data.DataHelper.stripHTML(request.getParameter("targetPort"))%>" /><%
              } /* curPage 5 */
            } /* !tunnelIsClient */ %>
            <%
@ -327,10 +330,10 @@
                <label for="port" accesskey="P">
                    <span class="accessKey">P</span>ort:
                </label>
-                <input type="text" size="6" maxlength="5" id="port" name="port" title="Access Port Number" value="<%=(!"null".equals(request.getParameter("port")) ? request.getParameter("port") : "" ) %>" class="freetext" />
+                <input type="text" size="6" maxlength="5" id="port" name="port" title="Access Port Number" value="<%=(!"null".equals(request.getParameter("port")) ? net.i2p.data.DataHelper.stripHTML(request.getParameter("port")) : "" ) %>" class="freetext" />
            </div><%
              } else {
-            %><input type="hidden" name="port" value="<%=request.getParameter("port")%>" /><%
+            %><input type="hidden" name="port" value="<%=net.i2p.data.DataHelper.stripHTML(request.getParameter("port"))%>" /><%
              } /* curPage 5 */
            } /* tunnelIsClient or httpbidirserver */ %>
            <%
@ -366,7 +369,7 @@
                </select>
            </div><%
              } else {
-            %><input type="hidden" name="reachableBy" value="<%=request.getParameter("reachableBy")%>" /><%
+            %><input type="hidden" name="reachableBy" value="<%=net.i2p.data.DataHelper.stripHTML(request.getParameter("reachableBy"))%>" /><%
              } /* curPage 5 */
            } /* (tunnelIsClient && !streamrclient) ||  httpbidirserver || streamrserver */
@ -388,7 +391,7 @@
            </div><%
            } else {
              if ("1".equals(request.getParameter("startOnLoad"))) {
-            %><input type="hidden" name="startOnLoad" value="<%=request.getParameter("startOnLoad")%>" /><%
+            %><input type="hidden" name="startOnLoad" value="<%=net.i2p.data.DataHelper.stripHTML(request.getParameter("startOnLoad"))%>" /><%
              }
            } /* curPage 6 */
@ -436,30 +439,30 @@
                } %>
                </td></tr>
                <tr><td><%=intl._("Tunnel name and description")%></td><td>
-                    <%=request.getParameter("name")%><br />
+                    <%=net.i2p.data.DataHelper.stripHTML(request.getParameter("name"))%><br />
-                    <%=request.getParameter("description")%>
+                    <%=net.i2p.data.DataHelper.stripHTML(request.getParameter("description"))%>
                </td></tr><%
                if (tunnelIsClient) { %>
                <tr><td><%=intl._("Tunnel destination")%></td><td><%
                  if ("httpclient".equals(tunnelType) || "connectclient".equals(tunnelType) || "sockstunnel".equals(tunnelType) || "socksirctunnel".equals(tunnelType)) { %>
-                    <%=request.getParameter("proxyList")%><%
+                    <%=net.i2p.data.DataHelper.stripHTML(request.getParameter("proxyList"))%><%
                  } else if ("client".equals(tunnelType) || "ircclient".equals(tunnelType) || "streamrclient".equals(tunnelType)) { %>
-                    <%=request.getParameter("targetDestination")%><%
+                    <%=net.i2p.data.DataHelper.stripHTML(request.getParameter("targetDestination"))%><%
                  } %>
                </td></tr><%
                } %>
                <tr><td><%=intl._("Binding address and port")%></td><td><%
                if ((tunnelIsClient && "streamrclient".equals(tunnelType)) || (!tunnelIsClient && !"streamrserver".equals(tunnelType))) { %>
-                    <%=request.getParameter("targetHost")%><br /><%
+                    <%=net.i2p.data.DataHelper.stripHTML(request.getParameter("targetHost"))%><br /><%
                }
                if (!tunnelIsClient) { %>
-                    <%=request.getParameter("targetPort")%><br /><%
+                    <%=net.i2p.data.DataHelper.stripHTML(request.getParameter("targetPort"))%><br /><%
                }
                if (tunnelIsClient || "httpbidirserver".equals(tunnelType)) { %>
-                    <br /><%=request.getParameter("port")%><%
+                    <br /><%=net.i2p.data.DataHelper.stripHTML(request.getParameter("port"))%><%
                }
                if ((tunnelIsClient && !"streamrclient".equals(tunnelType)) || "httpbidirserver".equals(tunnelType) || "streamrserver".equals(tunnelType)) { %>
-                    <br /><%=request.getParameter("reachableBy")%><%
+                    <br /><%=net.i2p.data.DataHelper.stripHTML(request.getParameter("reachableBy"))%><%
                } %>
                </td></tr>
                <tr><td><%=intl._("Tunnel auto-start")%></td><td><%
--- a/apps/routerconsole/java/src/net/i2p/router/web/CSSHelper.java
+++ b/apps/routerconsole/java/src/net/i2p/router/web/CSSHelper.java
@ -57,7 +57,7 @@ public class CSSHelper extends HelperBase {
     */
    public void setLang(String lang) {
        // Protected with nonce in css.jsi
-        if (lang != null && lang.length() > 0) {
+        if (lang != null && lang.length() > 0 && lang.length() <= 6) {
            Map m = new HashMap(2);
            int under = lang.indexOf('_');
            if (under < 0) {
@ -105,9 +105,9 @@ public class CSSHelper extends HelperBase {
        try {
            if (Integer.parseInt(r) < MIN_REFRESH)
                r = "" + MIN_REFRESH;
            _context.router().saveConfig(PROP_REFRESH, r);
        } catch (Exception e) {
        }
        _context.router().saveConfig(PROP_REFRESH, r);
    }
    /** @return refresh time in seconds, as a string */
@ -117,6 +117,7 @@ public class CSSHelper extends HelperBase {
            if (Integer.parseInt(r) < MIN_REFRESH)
                r = "" + MIN_REFRESH;
        } catch (Exception e) {
            r = "" + MIN_REFRESH;
        }
        return r;
    }
--- a/apps/routerconsole/java/src/net/i2p/router/web/ConfigAdvancedHandler.java
+++ b/apps/routerconsole/java/src/net/i2p/router/web/ConfigAdvancedHandler.java
@ -21,7 +21,8 @@ public class ConfigAdvancedHandler extends FormHandler {
    @Override
    protected void processForm() {
        if (_shouldSave) {
-            saveChanges();
+            //saveChanges();
            addFormError("Save disabled, edit the router.config file to make changes") ;
        } else {
            // noop
        }
--- a/apps/routerconsole/java/src/net/i2p/router/web/ConfigClientsHandler.java
+++ b/apps/routerconsole/java/src/net/i2p/router/web/ConfigClientsHandler.java
@ -54,7 +54,8 @@ public class ConfigClientsHandler extends FormHandler {
            return;
        }
        if (_action.equals(_("Install Plugin"))) {
-            installPlugin();
+            //installPlugin();
            addFormError("Plugin installation disabled");
            return;
        }
        if (_action.equals(_("Update All Installed Plugins"))) {
--- a/apps/routerconsole/java/src/net/i2p/router/web/ConfigUpdateHandler.java
+++ b/apps/routerconsole/java/src/net/i2p/router/web/ConfigUpdateHandler.java
@ -173,10 +173,11 @@ public class ConfigUpdateHandler extends FormHandler {
                _newsThroughProxy = false;
            String oldURL = ConfigUpdateHelper.getNewsURL(_context);
            if ( (oldURL == null) || (!_newsURL.equals(oldURL)) ) {
-                changes.put(PROP_NEWS_URL, _newsURL);
+                //changes.put(PROP_NEWS_URL, _newsURL);
                // this invalidates the news
-                changes.put(NewsHelper.PROP_LAST_CHECKED, "0");
+                //changes.put(NewsHelper.PROP_LAST_CHECKED, "0");
-                addFormNotice(_("Updating news URL to {0}", _newsURL));
+                //addFormNotice(_("Updating news URL to {0}", _newsURL));
                addFormError("Changing news URL disabled");
            }
        }
@ -240,8 +241,9 @@ public class ConfigUpdateHandler extends FormHandler {
        if ( (_zipURL != null) && (_zipURL.length() > 0) ) {
            String oldURL = _context.router().getConfigSetting(PROP_ZIP_URL);
            if ( (oldURL == null) || (!_zipURL.equals(oldURL)) ) {
-                changes.put(PROP_ZIP_URL, _zipURL);
+                //changes.put(PROP_ZIP_URL, _zipURL);
-                addFormNotice(_("Updating unsigned update URL to {0}", _zipURL));
+                //addFormNotice(_("Updating unsigned update URL to {0}", _zipURL));
                addFormError("Changing unsigned update URL disabled");
            }
        }
--- a/apps/routerconsole/java/src/net/i2p/router/web/FormHandler.java
+++ b/apps/routerconsole/java/src/net/i2p/router/web/FormHandler.java
@ -5,6 +5,7 @@ import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
 import net.i2p.data.DataHelper;
 import net.i2p.router.RouterContext;
 import net.i2p.util.Log;
@ -50,8 +51,8 @@ public abstract class FormHandler {
        }
    }
-    public void setNonce(String val) { _nonce = val; }
+    public void setNonce(String val) { _nonce = DataHelper.stripHTML(val); }
-    public void setAction(String val) { _action = val; }
+    public void setAction(String val) { _action = DataHelper.stripHTML(val); }
    /**
     * For many forms, it's easiest just to put all the parameters here.
--- a/apps/routerconsole/java/src/net/i2p/router/web/SummaryHelper.java
+++ b/apps/routerconsole/java/src/net/i2p/router/web/SummaryHelper.java
@ -818,19 +818,19 @@ public class SummaryHelper extends HelperBase {
    /* below here is stuff we need to get from summarynoframe.jsp to SummaryBarRenderer */
    private String _action;
-    public void setAction(String s) { _action = s; }
+    public void setAction(String s) { _action = DataHelper.stripHTML(s); }
    public String getAction() { return _action; }
    private String _consoleNonce;
-    public void setConsoleNonce(String s) { _consoleNonce = s; }
+    public void setConsoleNonce(String s) { _consoleNonce = DataHelper.stripHTML(s); }
    public String getConsoleNonce() { return _consoleNonce; }
    private String _updateNonce;
-    public void setUpdateNonce(String s) { _updateNonce = s; }
+    public void setUpdateNonce(String s) { _updateNonce = DataHelper.stripHTML(s); }
    public String getUpdateNonce() { return _updateNonce; }
    private String _requestURI;
-    public void setRequestURI(String s) { _requestURI = s; }
+    public void setRequestURI(String s) { _requestURI = DataHelper.stripHTML(s); }
    /**
     * @return non-null; "/home" if (strangely) not set by jsp
--- a/apps/routerconsole/jsp/configadvanced.jsp
+++ b/apps/routerconsole/jsp/configadvanced.jsp
@ -24,13 +24,19 @@
 <%@include file="formhandler.jsi" %>
 <div class="configure">
 <div class="wideload">
 <!--
 <form action="" method="POST">
 <input type="hidden" name="nonce" value="<%=pageNonce%>" >
 <input type="hidden" name="action" value="blah" >
 -->
 <h3><%=intl._("Advanced I2P Configuration")%></h3>
- <textarea rows="32" cols="60" name="config" wrap="off" spellcheck="false"><jsp:getProperty name="advancedhelper" property="settings" /></textarea><br><hr>
+ <textarea rows="32" cols="60" name="config" wrap="off" spellcheck="false" readonly="readonly"><jsp:getProperty name="advancedhelper" property="settings" /></textarea><br><hr>
 <!--
      <div class="formaction">
        <input type="reset" class="cancel" value="<%=intl._("Cancel")%>" >
        <input type="submit" name="shouldsave" class="accept" value="<%=intl._("Save changes")%>" >
 <br><b><%=intl._("NOTE")%>:</b> <%=intl._("Some changes may require a restart to take effect.")%>
- </div></form></div></div></div></body></html>
+ </div></form>
 -->
 To make changes, edit the router.config file.
 </div></div></div></body></html>
--- a/apps/routerconsole/jsp/configclients.jsp
+++ b/apps/routerconsole/jsp/configclients.jsp
@ -117,6 +117,7 @@ input.default { width: 1px; height: 1px; visibility: hidden; }
 <input type="submit" name="action" class="accept" value="<%=intl._("Save Plugin Configuration")%>" />
 </div></form></div>
 <!--
 <h3><a name="plugin"></a><%=intl._("Plugin Installation")%></h3><p>
 <%=intl._("Look for available plugins on {0}.", "<a href=\"http://plugins.i2p\">plugins.i2p</a>")%>
 <%=intl._("To install a plugin, enter the download URL:")%>
@ -132,5 +133,6 @@ input.default { width: 1px; height: 1px; visibility: hidden; }
 </div><hr><div class="formaction">
 <input type="submit" name="action" class="reload" value="<%=intl._("Update All Installed Plugins")%>" />
 </div></form></div>
 -->
 <% } %>
 </div></div></body></html>
--- a/apps/routerconsole/jsp/configupdate.jsp
+++ b/apps/routerconsole/jsp/configupdate.jsp
@ -41,7 +41,7 @@
            <% } %></td></tr>
        <tr><td colspan="2"><br></td></tr>
        <tr><td class="mediumtags" align="right"><b><%=intl._("News URL")%>:</b></td>
-          <td><input type="text" size="60" name="newsURL" value="<jsp:getProperty name="updatehelper" property="newsURL" />"></td>
+          <td><input type="text" size="60" name="newsURL" readonly="readonly" value="<jsp:getProperty name="updatehelper" property="newsURL" />"></td>
        </tr><tr><td class="mediumtags" align="right"><b><%=intl._("Refresh frequency")%>:</b>
          <td><jsp:getProperty name="updatehelper" property="refreshFrequencySelectBox" /></td></tr>
    <% if (updatehelper.canInstall()) { %>
@ -65,10 +65,12 @@
        </tr><tr><td class="mediumtags" align="right"><b><%=intl._("Trusted keys")%>:</b></td>
          <td><textarea cols="60" rows="6" name="trustedKeys" wrap="off" spellcheck="false"><jsp:getProperty name="updatehelper" property="trustedKeys" /></textarea></td></tr>
      <% }   // if isAdvanced %>
 <!--
        <tr><td id="unsignedbuild" class="mediumtags" align="right"><b><%=intl._("Update with unsigned development builds?")%></b></td>
          <td><jsp:getProperty name="updatehelper" property="updateUnsigned" /></td>
        </tr><tr><td class="mediumtags" align="right"><b><%=intl._("Unsigned Build URL")%>:</b></td>
          <td><input type="text" size="60" name="zipURL" value="<jsp:getProperty name="updatehelper" property="zipURL" />"></td></tr>
 -->
    <% } else { %>
        <tr><td class="mediumtags" align="center" colspan="2"><b><%=intl._("Updates will be dispatched via your package manager.")%></b></td></tr>
    <% }   // if canInstall %>
--- a/apps/routerconsole/jsp/css.jsi
+++ b/apps/routerconsole/jsp/css.jsi
@ -30,8 +30,11 @@
 <link rel="icon" href="<%=intl.getTheme(request.getHeader("User-Agent"))%>images/favicon.ico">
 <%
   // clickjacking
-   if (intl.shouldSendXFrame())
+   if (intl.shouldSendXFrame()) {
      response.setHeader("X-Frame-Options", "SAMEORIGIN");
      response.setHeader("Content-Security-Policy", "default-src 'self'");
      response.setHeader("X-XSS-Protection", "1; mode=block");
   }
   String conNonceParam = request.getParameter("consoleNonce");
   if (intl.getNonce().equals(conNonceParam)) {
--- a/apps/routerconsole/jsp/summaryframe.jsp
+++ b/apps/routerconsole/jsp/summaryframe.jsp
@ -22,12 +22,13 @@
                           "Shutdown immediately".equals(action) || "Restart immediately".equals(action);
    if (!shutdownSoon) {
        if (d == null || "".equals(d)) {
-            d = intl.getRefresh();
+            // set below
        } else {
            d = net.i2p.data.DataHelper.stripHTML(d);  // XSS
            intl.setRefresh(d);
            intl.setDisableRefresh(d);
        }
        d = intl.getRefresh();
        // we probably don't get here if d == "0" since caught in summary.jsi, but just
        // to be sure...
        if (!intl.getDisableRefresh()) {
@ -46,7 +47,7 @@
            long delay = 60;
            try { delay = Long.parseLong(d); } catch (NumberFormatException nfe) {}
            if (delay*1000 < timeleft + 5000)
-                out.print("<meta http-equiv=\"refresh\" content=\"" + d + ";url=/summaryframe.jsp\" >\n");
+                out.print("<meta http-equiv=\"refresh\" content=\"" + delay + ";url=/summaryframe.jsp\" >\n");
            else
                shutdownSoon = true;
        }
--- a/apps/routerconsole/jsp/viewstat.jsp
+++ b/apps/routerconsole/jsp/viewstat.jsp
@ -84,9 +84,11 @@ if ( !rendered && ((rs != null) || fakeBw) ) {
 *  a huge load for a page full of graphs if there's a problem
 */
 if (!rendered) {
-    if (stat != null)
+    if (stat != null) {
        stat = net.i2p.data.DataHelper.stripHTML(stat);
        response.sendError(403, "The stat " + stat + " is not available, it must be enabled for graphing on the stats configuration page.");
-    else
+    } else {
        response.sendError(403, "No stat specified");
    }
 }
 %>
--- a/apps/susidns/src/java/src/i2p/susi/dns/BaseBean.java
+++ b/apps/susidns/src/java/src/i2p/susi/dns/BaseBean.java
@ -142,7 +142,7 @@ public class BaseBean
     * @since 0.9.13 moved from subclasses
     */
    public void setAction(String action) {
-        this.action = action;
+        this.action = DataHelper.stripHTML(action);
    }
    /**
@ -158,7 +158,7 @@ public class BaseBean
     * @since 0.9.13 moved from subclasses
     */
    public void setSerial(String serial) {
-        this.serial = serial;
+        this.serial = DataHelper.stripHTML(serial);
    }
    /**
--- a/apps/susidns/src/java/src/i2p/susi/dns/NamingServiceBean.java
+++ b/apps/susidns/src/java/src/i2p/susi/dns/NamingServiceBean.java
@ -30,6 +30,7 @@ import java.util.Properties;
 import net.i2p.client.naming.NamingService;
 import net.i2p.data.DataFormatException;
 import net.i2p.data.DataHelper;
 import net.i2p.data.Destination;
 /**
@ -322,7 +323,7 @@ public class NamingServiceBean extends AddressbookBean
 	}
 	public void setH(String h) {
-		this.detail = h;
+		this.detail = DataHelper.stripHTML(h);
 	}
 	public AddressBean getLookup() {
--- a/apps/susidns/src/java/src/i2p/susi/dns/SubscriptionsBean.java
+++ b/apps/susidns/src/java/src/i2p/susi/dns/SubscriptionsBean.java
@ -160,7 +160,7 @@ public class SubscriptionsBean extends BaseBean
 	public void setContent(String content) {
 		// will come from form with \r\n line endings
-		this.content = content;
+		this.content = DataHelper.stripHTML(content);
 	}
 	public String getContent()
--- a/apps/susidns/src/jsp/addressbook.jsp
+++ b/apps/susidns/src/jsp/addressbook.jsp
@ -28,6 +28,8 @@
        request.setCharacterEncoding("UTF-8");
    response.setHeader("X-Frame-Options", "SAMEORIGIN");
    response.setHeader("Content-Security-Policy", "default-src 'self'");
    response.setHeader("X-XSS-Protection", "1; mode=block");
 %>
 <%@page pageEncoding="UTF-8"%>
--- a/apps/susidns/src/jsp/config.jsp
+++ b/apps/susidns/src/jsp/config.jsp
@ -28,6 +28,8 @@
        request.setCharacterEncoding("UTF-8");
    response.setHeader("X-Frame-Options", "SAMEORIGIN");
    response.setHeader("Content-Security-Policy", "default-src 'self'");
    response.setHeader("X-XSS-Protection", "1; mode=block");
 %>
 <%@page pageEncoding="UTF-8"%>
--- a/apps/susidns/src/jsp/details.jsp
+++ b/apps/susidns/src/jsp/details.jsp
@ -25,6 +25,8 @@
        request.setCharacterEncoding("UTF-8");
    response.setHeader("X-Frame-Options", "SAMEORIGIN");
    response.setHeader("Content-Security-Policy", "default-src 'self'");
    response.setHeader("X-XSS-Protection", "1; mode=block");
 %>
 <%@page pageEncoding="UTF-8"%>
@ -73,6 +75,7 @@
    if (detail == null) {
        %><p>No host specified</p><%
    } else {
        detail = net.i2p.data.DataHelper.stripHTML(detail);
        i2p.susi.dns.AddressBean addr = book.getLookup();
        if (addr == null) {
            %><p>Not found: <%=detail%></p><%
--- a/apps/susidns/src/jsp/index.jsp
+++ b/apps/susidns/src/jsp/index.jsp
@ -28,6 +28,8 @@
        request.setCharacterEncoding("UTF-8");
    response.setHeader("X-Frame-Options", "SAMEORIGIN");
    response.setHeader("Content-Security-Policy", "default-src 'self'");
    response.setHeader("X-XSS-Protection", "1; mode=block");
 %>
 <%@page pageEncoding="UTF-8"%>
--- a/apps/susidns/src/jsp/subscriptions.jsp
+++ b/apps/susidns/src/jsp/subscriptions.jsp
@ -28,6 +28,8 @@
        request.setCharacterEncoding("UTF-8");
    response.setHeader("X-Frame-Options", "SAMEORIGIN");
    response.setHeader("Content-Security-Policy", "default-src 'self'");
    response.setHeader("X-XSS-Protection", "1; mode=block");
 %>
 <%@page pageEncoding="UTF-8"%>
--- a/apps/susimail/src/src/i2p/susi/webmail/WebMail.java
+++ b/apps/susimail/src/src/i2p/susi/webmail/WebMail.java
@ -1562,6 +1562,8 @@ public class WebMail extends HttpServlet
 		httpRequest.setCharacterEncoding("UTF-8");
 		response.setCharacterEncoding("UTF-8");
                response.setHeader("X-Frame-Options", "SAMEORIGIN");
                response.setHeader("Content-Security-Policy", "default-src 'self'");
                response.setHeader("X-XSS-Protection", "1; mode=block");
 		RequestWrapper request = new RequestWrapper( httpRequest );
 		SessionObject sessionObject = null;
--- a/core/java/src/net/i2p/client/naming/ExecNamingService.java
+++ b/core/java/src/net/i2p/client/naming/ExecNamingService.java
@ -57,6 +57,8 @@ public class ExecNamingService extends DummyNamingService {
     */
    public ExecNamingService(I2PAppContext context) {
        super(context);
        // disable for now
        throw new UnsupportedOperationException();
    }
    @Override
--- a/core/java/src/net/i2p/data/DataHelper.java
+++ b/core/java/src/net/i2p/data/DataHelper.java
@ -478,12 +478,14 @@ public class DataHelper {
                String val = (String) entry.getValue();
                if (name.contains("#") ||
                    name.contains("=") ||
                    name.contains("\r") ||
                    name.contains("\n") ||
                    name.startsWith(";") ||
                    val.contains("#") ||
                    val.contains("\r") ||
                    val.contains("\n")) {
                    if (iae == null)
-                        iae = new IllegalArgumentException("Invalid character (one of \"#;=\\n\") in key or value: \"" +
+                        iae = new IllegalArgumentException("Invalid character (one of \"#;=\\r\\n\") in key or value: \"" +
                                                           name + "\" = \"" + val + '\"');
                    continue;
                }
@ -1622,6 +1624,7 @@ public class DataHelper {
        if (orig == null) return "";
        String t1 = orig.replace('<', ' ');
        String rv = t1.replace('>', ' ');
        rv = rv.replace("\"", "%22");
        return rv;
    }
--- a/history.txt
+++ b/history.txt
@ -1,3 +1,15 @@
 2014-07-26 zzz
 * Console:
   - Fix several XSS issues (thx Aaron Portnoy of Exodus Intel)
   - Add Content-Security-Policy and X-XSS-Protection headers
   - Disable changing news feed URL from UI
   - Disable plugin install from UI
   - Disable setting unsigned update URL from UI
   - Disable /configadvanced
 * DataHelper: Disallow \r in storeProps() (thx joernchen of Phenoelit)
 * ExecNamingService: Disable (thx joernchen of Phenoelit)
 * Startup: Add susimail.config to migrated files
 2014-07-23 kytv
 * Updates to geoip.txt and geoipv6.dat.gz based on Maxmind GeoLite Country
   database from 2014-07-02.
--- a/router/java/src/net/i2p/router/RouterVersion.java
+++ b/router/java/src/net/i2p/router/RouterVersion.java
@ -18,10 +18,10 @@ public class RouterVersion {
    /** deprecated */
    public final static String ID = "Monotone";
    public final static String VERSION = CoreVersion.VERSION;
-    public final static long BUILD = 19;
+    public final static long BUILD = 20;
    /** for example "-test" */
-    public final static String EXTRA = "";
+    public final static String EXTRA = "-rc";
    public final static String FULL_VERSION = VERSION + "-" + BUILD + EXTRA;
    public static void main(String args[]) {
        System.out.println("I2P Router version: " + FULL_VERSION);
--- a/router/java/src/net/i2p/router/startup/WorkingDir.java
+++ b/router/java/src/net/i2p/router/startup/WorkingDir.java
@ -272,10 +272,10 @@ public class WorkingDir {
        // but distros might put one in
        "addressbook,eepsite," +
        // base install - files
-        // We don't currently have a default router.config, logger.config, or webapps.config in the base distribution,
+        // We don't currently have a default router.config, logger.config, susimail.config, or webapps.config in the base distribution,
        // but distros might put one in
        "blocklist.txt,hosts.txt,i2psnark.config,i2ptunnel.config,jetty-i2psnark.xml," +
-        "logger.config,router.config,systray.config,webapps.config";
+        "logger.config,router.config,susimail.config,systray.config,webapps.config";
    private static boolean migrate(String list, File olddir, File todir) {
        boolean rv = true;