echelon/i2p.i2p
1
0
Fork 0
forked from I2P_Developers/i2p.i2p
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

* Console:

Browse Source 
- Fix update buttons
   - Don't filter parameter names starting with "nofilter_"
   - Re-allow configadvanced, news URL, and unsigned update URL if routerconsole.advanced=true
   - Re-allow plugin install if routerconsole.advanced=true or routerconsole.enablePluginInstall=true
   - Only allow whitelisted plugin signers, unless routerconsole.allowUntrustedPlugins=true
   - Re-allow clients.config changes if routerconsole.advanced=true or routerconsole.enableClientChange=true
   - More escaping
 * i2psnark: Fix add torrent form
This commit is contained in:
zzz
2014-08-03 13:58:51 +00:00
parent bf9c4b2346
commit b28eb708a4
26 changed files with 289 additions and 131 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
apps/i2psnark/java/src/org/klomp/snark/SnarkManager.java
View File

@ -241,7 +241,20 @@ public class SnarkManager implements CompleteListener {
private static final int MAX_MESSAGES = 100;
/**
* Use if it does not include a link.
* Escapes '<' and '>' before queueing
*/
public void addMessage(String message) {
addMessageNoEscape(message.replace("<", "&lt;").replace(">", "&gt;"));
}
/**
* Use if it includes a link.
* Does not escape '<' and '>' before queueing
* @since 0.9.14.1
*/
public void addMessageNoEscape(String message) {
_messages.offer(message);
while (_messages.size() > MAX_MESSAGES) {
_messages.poll();
@ -579,7 +592,7 @@ public class SnarkManager implements CompleteListener {
}
if (dataDir != null && !dataDir.equals(getDataDir().getAbsolutePath())) {
dataDir = dataDir.trim();
dataDir = DataHelper.stripHTML(dataDir.trim());
File dd = new File(dataDir);
if (!dd.isAbsolute()) {
addMessage(_("Data directory must be an absolute path") + ": " + dataDir);
@ -609,7 +622,7 @@ public class SnarkManager implements CompleteListener {
}
Map<String, String> opts = new HashMap<String, String>();
if (i2cpOpts == null) i2cpOpts = "";
i2cpOpts = DataHelper.stripHTML(i2cpOpts);
StringTokenizer tok = new StringTokenizer(i2cpOpts, " \t\n");
while (tok.hasMoreTokens()) {
String pair = tok.nextToken();

29
apps/i2psnark/java/src/org/klomp/snark/web/I2PSnarkServlet.java
View File

@ -711,7 +711,7 @@ public class I2PSnarkServlet extends BasicServlet {
// return;
//}
if ("Add".equals(action)) {
String newURL = req.getParameter("newURL");
String newURL = req.getParameter("nofilter_newURL");
/******
// NOTE - newFile currently disabled in HTML form - see below
File f = null;
@ -747,7 +747,13 @@ public class I2PSnarkServlet extends BasicServlet {
} else
*****/
if (newURL != null) {
if (newURL.startsWith("http://")) {
if (newURL.contains("<") || newURL.contains(">") ||
newURL.contains("%3C") || newURL.contains("%3E") ||
newURL.contains("%3c") || newURL.contains("%3e") ||
newURL.contains("\"") || newURL.contains("'") ||
newURL.contains("%22") || newURL.contains("%27")) {
_manager.addMessage("Invalid URL");
} else if (newURL.startsWith("http://")) {
FetchAndAdd fetch = new FetchAndAdd(_context, _manager, newURL);
_manager.addDownloader(fetch);
} else if (newURL.startsWith(MagnetURI.MAGNET) || newURL.startsWith(MagnetURI.MAGGOT)) {
@ -937,7 +943,7 @@ public class I2PSnarkServlet extends BasicServlet {
if (k.startsWith("backup_")) {
String url = k.substring(7);
if (!url.equals(announceURL))
backupURLs.add(url);
backupURLs.add(DataHelper.stripHTML(url));
}
}
List<List<String>> announceList = null;
@ -1036,7 +1042,7 @@ public class I2PSnarkServlet extends BasicServlet {
Tracker t;
if ((t = trackers.remove(k)) != null) {
removed.add(t.announceURL);
_manager.addMessage(_("Removed") + ": " + k);
_manager.addMessage(_("Removed") + ": " + DataHelper.stripHTML(k));
changed = true;
}
} else if (k.startsWith("open_")) {
@ -1070,9 +1076,9 @@ public class I2PSnarkServlet extends BasicServlet {
String hurl = req.getParameter("thurl");
String aurl = req.getParameter("taurl");
if (name != null && hurl != null && aurl != null) {
name = name.trim();
hurl = hurl.trim();
aurl = aurl.trim().replace("=", "&#61;");
name = DataHelper.stripHTML(name.trim());
hurl = DataHelper.stripHTML(hurl.trim());
aurl = DataHelper.stripHTML(aurl.trim()).replace("=", "&#61;");
if (name.length() > 0 && hurl.startsWith("http://") && TrackerClient.isValidAnnounce(aurl)) {
Map<String, Tracker> trackers = _manager.getTrackerMap();
trackers.put(name, new Tracker(name, aurl, hurl));
@ -1716,7 +1722,7 @@ public class I2PSnarkServlet extends BasicServlet {
private void writeAddForm(PrintWriter out, HttpServletRequest req) throws IOException {
// display incoming parameter if a GET so links will work
String newURL = req.getParameter("newURL");
String newURL = req.getParameter("nofilter_newURL");
if (newURL == null || newURL.trim().length() <= 0 || req.getMethod().equals("POST"))
newURL = "";
else
@ -1732,13 +1738,13 @@ public class I2PSnarkServlet extends BasicServlet {
// don't lose peer setting
String peerParam = req.getParameter("p");
if (peerParam != null)
out.write("<input type=\"hidden\" name=\"p\" value=\"" + peerParam + "\" >\n");
out.write("<input type=\"hidden\" name=\"p\" value=\"" + DataHelper.stripHTML(peerParam) + "\" >\n");
out.write("<div class=\"addtorrentsection\"><span class=\"snarkConfigTitle\">");
out.write("<img alt=\"\" border=\"0\" src=\"" + _imgPath + "add.png\"> ");
out.write(_("Add Torrent"));
out.write("</span><hr>\n<table border=\"0\"><tr><td>");
out.write(_("From URL"));
out.write(":<td><input type=\"text\" name=\"newURL\" size=\"85\" value=\"" + newURL + "\" spellcheck=\"false\"");
out.write(":<td><input type=\"text\" name=\"nofilter_newURL\" size=\"85\" value=\"" + newURL + "\" spellcheck=\"false\"");
out.write(" title=\"");
out.write(_("Enter the torrent file download URL (I2P only), magnet link, maggot link, or info hash"));
out.write("\"> \n");
@ -1770,7 +1776,7 @@ public class I2PSnarkServlet extends BasicServlet {
// don't lose peer setting
String peerParam = req.getParameter("p");
if (peerParam != null)
out.write("<input type=\"hidden\" name=\"p\" value=\"" + peerParam + "\" >\n");
out.write("<input type=\"hidden\" name=\"p\" value=\"" + DataHelper.stripHTML(peerParam) + "\" >\n");
out.write("<span class=\"snarkConfigTitle\">");
out.write("<img alt=\"\" border=\"0\" src=\"" + _imgPath + "create.png\"> ");
out.write(_("Create Torrent"));
@ -2202,6 +2208,7 @@ public class I2PSnarkServlet extends BasicServlet {
/** @since 0.8.13 */
private static String urlEncode(String s) {
return s.replace(";", "%3B").replace("&", "&amp;").replace(" ", "%20")
.replace("<", "&lt;").replace(">", "&gt;")
.replace("[", "%5B").replace("]", "%5D");
}