* Console:

- Fix update buttons
   - Don't filter parameter names starting with "nofilter_"
   - Re-allow configadvanced, news URL, and unsigned update URL if routerconsole.advanced=true
   - Re-allow plugin install if routerconsole.advanced=true or routerconsole.enablePluginInstall=true
   - Only allow whitelisted plugin signers, unless routerconsole.allowUntrustedPlugins=true
   - Re-allow clients.config changes if routerconsole.advanced=true or routerconsole.enableClientChange=true
   - More escaping
 * i2psnark: Fix add torrent form

apps/routerconsole/java/src/net/i2p/router/update/PluginUpdateRunner.java

@@ -54,6 +54,7 @@ class PluginUpdateRunner extends UpdateRunner {
     private static final String XPI2P = "app.xpi2p";
     private static final String ZIP = XPI2P + ".zip";
     public static final String PLUGIN_DIR = PluginStarter.PLUGIN_DIR;
+    private static final String PROP_ALLOW_NEW_KEYS = "routerconsole.allowUntrustedPlugins";
 
     public PluginUpdateRunner(RouterContext ctx, ConsoleUpdateManager mgr, List<URI> uris,
                               String appName, String oldVersion ) {
@@ -162,7 +163,7 @@ class PluginUpdateRunner extends UpdateRunner {
 
             // ok, now we check sigs and deal with a bad sig
             String pubkey = props.getProperty("key");
-            String signer = props.getProperty("signer");
+            String signer = DataHelper.stripHTML(props.getProperty("signer"));
             if (pubkey == null || signer == null || pubkey.length() != 172 || signer.length() <= 0) {
                 f.delete();
                 to.delete();
@@ -179,6 +180,14 @@ class PluginUpdateRunner extends UpdateRunner {
                 up.addKey(e.getKey(), e.getValue());
             }
 
+            // add all trusted plugin keys, so any conflicts with trusted keys
+            // will be discovered and rejected
+            Map<String, String> trustedKeys = TrustedPluginKeys.getKeys();
+            for (Map.Entry<String, String> e : trustedKeys.entrySet()) {
+                // ignore dups/bad keys
+                up.addKey(e.getKey(), e.getValue());
+            }
+
             if (up.haveKey(pubkey)) {
                 // the key is already in the TrustedUpdate keyring
                 // verify the sig and verify that it is signed by the signer in the plugin.config file
@@ -194,7 +203,7 @@ class PluginUpdateRunner extends UpdateRunner {
                     statusDone("<b>" + _("Plugin signature verification of {0} failed", url) + "</b>");
                     return;
                 }
-            } else {
+            } else if (_context.getBooleanProperty(PROP_ALLOW_NEW_KEYS)) {
                 // add to keyring...
                 if(!up.addKey(pubkey, signer)) {
                     // bad or duplicate key
@@ -218,6 +227,14 @@ class PluginUpdateRunner extends UpdateRunner {
                     statusDone("<b>" + _("Plugin signature verification of {0} failed", url) + "</b>");
                     return;
                 }
+            } else {
+                // unknown key
+                f.delete();
+                to.delete();
+                _log.error("Untrusted plugin key \"" + pubkey + "\" for plugin signer \"" + signer + "\"");
+                // don't display signer, we're really checking the key not the signer name
+                statusDone("<b>" + _("Plugin not installed - signer is untrusted") + "</b>");
+                return;
             }
 
             String sudVersion = TrustedUpdate.getVersionString(f);