echelon/i2p.i2p
1
0
Fork 0
forked from I2P_Developers/i2p.i2p
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

* Console:

Browse Source 
- Fix update buttons
   - Don't filter parameter names starting with "nofilter_"
   - Re-allow configadvanced, news URL, and unsigned update URL if routerconsole.advanced=true
   - Re-allow plugin install if routerconsole.advanced=true or routerconsole.enablePluginInstall=true
   - Only allow whitelisted plugin signers, unless routerconsole.allowUntrustedPlugins=true
   - Re-allow clients.config changes if routerconsole.advanced=true or routerconsole.enableClientChange=true
   - More escaping
 * i2psnark: Fix add torrent form
This commit is contained in:
zzz
2014-08-03 13:58:51 +00:00
parent bf9c4b2346
commit b28eb708a4
26 changed files with 289 additions and 131 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
apps/i2psnark/java/src/org/klomp/snark/SnarkManager.java
View File

@ -241,7 +241,20 @@ public class SnarkManager implements CompleteListener {
private static final int MAX_MESSAGES = 100; private static final int MAX_MESSAGES = 100;
/**
* Use if it does not include a link.
* Escapes '<' and '>' before queueing
*/
public void addMessage(String message) { public void addMessage(String message) {
addMessageNoEscape(message.replace("<", "&lt;").replace(">", "&gt;"));
}
/**
* Use if it includes a link.
* Does not escape '<' and '>' before queueing
* @since 0.9.14.1
*/
public void addMessageNoEscape(String message) {
_messages.offer(message); _messages.offer(message);
while (_messages.size() > MAX_MESSAGES) { while (_messages.size() > MAX_MESSAGES) {
_messages.poll(); _messages.poll();
@ -579,7 +592,7 @@ public class SnarkManager implements CompleteListener {
} }
if (dataDir != null && !dataDir.equals(getDataDir().getAbsolutePath())) { if (dataDir != null && !dataDir.equals(getDataDir().getAbsolutePath())) {
dataDir = dataDir.trim(); dataDir = DataHelper.stripHTML(dataDir.trim());
File dd = new File(dataDir); File dd = new File(dataDir);
if (!dd.isAbsolute()) { if (!dd.isAbsolute()) {
addMessage(_("Data directory must be an absolute path") + ": " + dataDir); addMessage(_("Data directory must be an absolute path") + ": " + dataDir);
@ -609,7 +622,7 @@ public class SnarkManager implements CompleteListener {
} }
Map<String, String> opts = new HashMap<String, String>(); Map<String, String> opts = new HashMap<String, String>();
if (i2cpOpts == null) i2cpOpts = ""; i2cpOpts = DataHelper.stripHTML(i2cpOpts);
StringTokenizer tok = new StringTokenizer(i2cpOpts, " \t\n"); StringTokenizer tok = new StringTokenizer(i2cpOpts, " \t\n");
while (tok.hasMoreTokens()) { while (tok.hasMoreTokens()) {
String pair = tok.nextToken(); String pair = tok.nextToken();

29
apps/i2psnark/java/src/org/klomp/snark/web/I2PSnarkServlet.java
View File

@ -711,7 +711,7 @@ public class I2PSnarkServlet extends BasicServlet {
// return; // return;
//} //}
if ("Add".equals(action)) { if ("Add".equals(action)) {
String newURL = req.getParameter("newURL"); String newURL = req.getParameter("nofilter_newURL");
/****** /******
// NOTE - newFile currently disabled in HTML form - see below // NOTE - newFile currently disabled in HTML form - see below
File f = null; File f = null;
@ -747,7 +747,13 @@ public class I2PSnarkServlet extends BasicServlet {
} else } else
*****/ *****/
if (newURL != null) { if (newURL != null) {
if (newURL.startsWith("http://")) { if (newURL.contains("<") || newURL.contains(">") ||
newURL.contains("%3C") || newURL.contains("%3E") ||
newURL.contains("%3c") || newURL.contains("%3e") ||
newURL.contains("\"") || newURL.contains("'") ||
newURL.contains("%22") || newURL.contains("%27")) {
_manager.addMessage("Invalid URL");
} else if (newURL.startsWith("http://")) {
FetchAndAdd fetch = new FetchAndAdd(_context, _manager, newURL); FetchAndAdd fetch = new FetchAndAdd(_context, _manager, newURL);
_manager.addDownloader(fetch); _manager.addDownloader(fetch);
} else if (newURL.startsWith(MagnetURI.MAGNET) || newURL.startsWith(MagnetURI.MAGGOT)) { } else if (newURL.startsWith(MagnetURI.MAGNET) || newURL.startsWith(MagnetURI.MAGGOT)) {
@ -937,7 +943,7 @@ public class I2PSnarkServlet extends BasicServlet {
if (k.startsWith("backup_")) { if (k.startsWith("backup_")) {
String url = k.substring(7); String url = k.substring(7);
if (!url.equals(announceURL)) if (!url.equals(announceURL))
backupURLs.add(url); backupURLs.add(DataHelper.stripHTML(url));
} }
} }
List<List<String>> announceList = null; List<List<String>> announceList = null;
@ -1036,7 +1042,7 @@ public class I2PSnarkServlet extends BasicServlet {
Tracker t; Tracker t;
if ((t = trackers.remove(k)) != null) { if ((t = trackers.remove(k)) != null) {
removed.add(t.announceURL); removed.add(t.announceURL);
_manager.addMessage(_("Removed") + ": " + k); _manager.addMessage(_("Removed") + ": " + DataHelper.stripHTML(k));
changed = true; changed = true;
} }
} else if (k.startsWith("open_")) { } else if (k.startsWith("open_")) {
@ -1070,9 +1076,9 @@ public class I2PSnarkServlet extends BasicServlet {
String hurl = req.getParameter("thurl"); String hurl = req.getParameter("thurl");
String aurl = req.getParameter("taurl"); String aurl = req.getParameter("taurl");
if (name != null && hurl != null && aurl != null) { if (name != null && hurl != null && aurl != null) {
name = name.trim(); name = DataHelper.stripHTML(name.trim());
hurl = hurl.trim(); hurl = DataHelper.stripHTML(hurl.trim());
aurl = aurl.trim().replace("=", "&#61;"); aurl = DataHelper.stripHTML(aurl.trim()).replace("=", "&#61;");
if (name.length() > 0 && hurl.startsWith("http://") && TrackerClient.isValidAnnounce(aurl)) { if (name.length() > 0 && hurl.startsWith("http://") && TrackerClient.isValidAnnounce(aurl)) {
Map<String, Tracker> trackers = _manager.getTrackerMap(); Map<String, Tracker> trackers = _manager.getTrackerMap();
trackers.put(name, new Tracker(name, aurl, hurl)); trackers.put(name, new Tracker(name, aurl, hurl));
@ -1716,7 +1722,7 @@ public class I2PSnarkServlet extends BasicServlet {
private void writeAddForm(PrintWriter out, HttpServletRequest req) throws IOException { private void writeAddForm(PrintWriter out, HttpServletRequest req) throws IOException {
// display incoming parameter if a GET so links will work // display incoming parameter if a GET so links will work
String newURL = req.getParameter("newURL"); String newURL = req.getParameter("nofilter_newURL");
if (newURL == null || newURL.trim().length() <= 0 || req.getMethod().equals("POST")) if (newURL == null || newURL.trim().length() <= 0 || req.getMethod().equals("POST"))
newURL = ""; newURL = "";
else else
@ -1732,13 +1738,13 @@ public class I2PSnarkServlet extends BasicServlet {
// don't lose peer setting // don't lose peer setting
String peerParam = req.getParameter("p"); String peerParam = req.getParameter("p");
if (peerParam != null) if (peerParam != null)
out.write("<input type=\"hidden\" name=\"p\" value=\"" + peerParam + "\" >\n"); out.write("<input type=\"hidden\" name=\"p\" value=\"" + DataHelper.stripHTML(peerParam) + "\" >\n");
out.write("<div class=\"addtorrentsection\"><span class=\"snarkConfigTitle\">"); out.write("<div class=\"addtorrentsection\"><span class=\"snarkConfigTitle\">");
out.write("<img alt=\"\" border=\"0\" src=\"" + _imgPath + "add.png\"> "); out.write("<img alt=\"\" border=\"0\" src=\"" + _imgPath + "add.png\"> ");
out.write(_("Add Torrent")); out.write(_("Add Torrent"));
out.write("</span><hr>\n<table border=\"0\"><tr><td>"); out.write("</span><hr>\n<table border=\"0\"><tr><td>");
out.write(_("From URL")); out.write(_("From URL"));
out.write(":<td><input type=\"text\" name=\"newURL\" size=\"85\" value=\"" + newURL + "\" spellcheck=\"false\""); out.write(":<td><input type=\"text\" name=\"nofilter_newURL\" size=\"85\" value=\"" + newURL + "\" spellcheck=\"false\"");
out.write(" title=\""); out.write(" title=\"");
out.write(_("Enter the torrent file download URL (I2P only), magnet link, maggot link, or info hash")); out.write(_("Enter the torrent file download URL (I2P only), magnet link, maggot link, or info hash"));
out.write("\"> \n"); out.write("\"> \n");
@ -1770,7 +1776,7 @@ public class I2PSnarkServlet extends BasicServlet {
// don't lose peer setting // don't lose peer setting
String peerParam = req.getParameter("p"); String peerParam = req.getParameter("p");
if (peerParam != null) if (peerParam != null)
out.write("<input type=\"hidden\" name=\"p\" value=\"" + peerParam + "\" >\n"); out.write("<input type=\"hidden\" name=\"p\" value=\"" + DataHelper.stripHTML(peerParam) + "\" >\n");
out.write("<span class=\"snarkConfigTitle\">"); out.write("<span class=\"snarkConfigTitle\">");
out.write("<img alt=\"\" border=\"0\" src=\"" + _imgPath + "create.png\"> "); out.write("<img alt=\"\" border=\"0\" src=\"" + _imgPath + "create.png\"> ");
out.write(_("Create Torrent")); out.write(_("Create Torrent"));
@ -2202,6 +2208,7 @@ public class I2PSnarkServlet extends BasicServlet {
/** @since 0.8.13 */ /** @since 0.8.13 */
private static String urlEncode(String s) { private static String urlEncode(String s) {
return s.replace(";", "%3B").replace("&", "&amp;").replace(" ", "%20") return s.replace(";", "%3B").replace("&", "&amp;").replace(" ", "%20")
.replace("<", "&lt;").replace(">", "&gt;")
.replace("[", "%5B").replace("]", "%5D"); .replace("[", "%5B").replace("]", "%5D");
} }

4
apps/i2ptunnel/java/src/net/i2p/i2ptunnel/web/IndexBean.java
View File

@ -927,7 +927,7 @@ public class IndexBean {
_newProxyUser = s.trim(); _newProxyUser = s.trim();
} }
public void setProxyPassword(String s) { public void setNofilter_proxyPassword(String s) {
if (s != null) if (s != null)
_newProxyPW = s.trim(); _newProxyPW = s.trim();
} }
@ -941,7 +941,7 @@ public class IndexBean {
_otherOptions.put(I2PTunnelHTTPClientBase.PROP_OUTPROXY_USER, s.trim()); _otherOptions.put(I2PTunnelHTTPClientBase.PROP_OUTPROXY_USER, s.trim());
} }
public void setOutproxyPassword(String s) { public void setNofilter_outproxyPassword(String s) {
if (s != null) if (s != null)
_otherOptions.put(I2PTunnelHTTPClientBase.PROP_OUTPROXY_PW, s.trim()); _otherOptions.put(I2PTunnelHTTPClientBase.PROP_OUTPROXY_PW, s.trim());
} }

4
apps/i2ptunnel/jsp/editClient.jsp
View File

@ -540,7 +540,7 @@ input.default { width: 1px; height: 1px; visibility: hidden; }
<label> <label>
<%=intl._("Password")%>: <%=intl._("Password")%>:
</label> </label>
<input type="password" id="clientPort" name="proxyPassword" title="Set password for this service" value="" class="freetext" /> <input type="password" id="clientPort" name="nofilter_proxyPassword" title="Set password for this service" value="" class="freetext" />
</div> </div>
<div class="subdivider"> <div class="subdivider">
<hr /> <hr />
@ -564,7 +564,7 @@ input.default { width: 1px; height: 1px; visibility: hidden; }
<label> <label>
<%=intl._("Password")%>: <%=intl._("Password")%>:
</label> </label>
<input type="password" id="clientPort" name="outproxyPassword" title="Enter password required by outproxy" value="<%=editBean.getOutproxyPassword(curTunnel)%>" class="freetext" /> <input type="password" id="clientPort" name="nofilter_outproxyPassword" title="Enter password required by outproxy" value="<%=editBean.getOutproxyPassword(curTunnel)%>" class="freetext" />
</div> </div>
<div class="subdivider"> <div class="subdivider">
<hr /> <hr />

14
apps/jetty/java/src/net/i2p/servlet/filters/XSSRequestWrapper.java
View File

@ -21,14 +21,20 @@ public class XSSRequestWrapper extends HttpServletRequestWrapper {
// Adapted from https://owasp-esapi-java.googlecode.com/svn/trunk/configuration/esapi/ESAPI.properties // Adapted from https://owasp-esapi-java.googlecode.com/svn/trunk/configuration/esapi/ESAPI.properties
private static final Pattern parameterValuePattern = Pattern.compile("^[\\p{L}\\p{Nd}.,:\\-\\/+=~\\[\\]?@_ \r\n]*$"); private static final Pattern parameterValuePattern = Pattern.compile("^[\\p{L}\\p{Nd}.,:\\-\\/+=~\\[\\]?@_ \r\n]*$");
private static final Pattern headerValuePattern = Pattern.compile("^[a-zA-Z0-9()\\-=\\*\\.\\?;,+\\/:&_ ]*$"); private static final Pattern headerValuePattern = Pattern.compile("^[a-zA-Z0-9()\\-=\\*\\.\\?;,+\\/:&_ ]*$");
private static final String NOFILTER = "nofilter_";
public XSSRequestWrapper(HttpServletRequest servletRequest) { public XSSRequestWrapper(HttpServletRequest servletRequest) {
super(servletRequest); super(servletRequest);
} }
/**
* Parameter names starting with "nofilter_" will not be filtered.
*/
@Override @Override
public String[] getParameterValues(String parameter) { public String[] getParameterValues(String parameter) {
String[] values = super.getParameterValues(parameter); String[] values = super.getParameterValues(parameter);
if (parameter.startsWith(NOFILTER))
return values;
if (values == null) { if (values == null) {
return null; return null;
@ -58,9 +64,14 @@ public class XSSRequestWrapper extends HttpServletRequestWrapper {
return encodedValues; return encodedValues;
} }
/**
* Parameter names starting with "nofilter_" will not be filtered.
*/
@Override @Override
public String getParameter(String parameter) { public String getParameter(String parameter) {
String value = super.getParameter(parameter); String value = super.getParameter(parameter);
if (parameter.startsWith(NOFILTER))
return value;
String rv = stripXSS(value, parameterValuePattern); String rv = stripXSS(value, parameterValuePattern);
if (value != null && rv == null) { if (value != null && rv == null) {
Log log = I2PAppContext.getGlobalContext().logManager().getLog(XSSRequestWrapper.class); Log log = I2PAppContext.getGlobalContext().logManager().getLog(XSSRequestWrapper.class);
@ -69,6 +80,9 @@ public class XSSRequestWrapper extends HttpServletRequestWrapper {
return rv; return rv;
} }
/**
* Parameter names starting with "nofilter_" will not be filtered.
*/
@Override @Override
public Map getParameterMap() { public Map getParameterMap() {
Map rv = new HashMap(); Map rv = new HashMap();

21
apps/routerconsole/java/src/net/i2p/router/update/PluginUpdateRunner.java
View File

@ -54,6 +54,7 @@ class PluginUpdateRunner extends UpdateRunner {
private static final String XPI2P = "app.xpi2p"; private static final String XPI2P = "app.xpi2p";
private static final String ZIP = XPI2P + ".zip"; private static final String ZIP = XPI2P + ".zip";
public static final String PLUGIN_DIR = PluginStarter.PLUGIN_DIR; public static final String PLUGIN_DIR = PluginStarter.PLUGIN_DIR;
private static final String PROP_ALLOW_NEW_KEYS = "routerconsole.allowUntrustedPlugins";
public PluginUpdateRunner(RouterContext ctx, ConsoleUpdateManager mgr, List<URI> uris, public PluginUpdateRunner(RouterContext ctx, ConsoleUpdateManager mgr, List<URI> uris,
String appName, String oldVersion ) { String appName, String oldVersion ) {
@ -162,7 +163,7 @@ class PluginUpdateRunner extends UpdateRunner {
// ok, now we check sigs and deal with a bad sig // ok, now we check sigs and deal with a bad sig
String pubkey = props.getProperty("key"); String pubkey = props.getProperty("key");
String signer = props.getProperty("signer"); String signer = DataHelper.stripHTML(props.getProperty("signer"));
if (pubkey == null || signer == null || pubkey.length() != 172 || signer.length() <= 0) { if (pubkey == null || signer == null || pubkey.length() != 172 || signer.length() <= 0) {
f.delete(); f.delete();
to.delete(); to.delete();
@ -179,6 +180,14 @@ class PluginUpdateRunner extends UpdateRunner {
up.addKey(e.getKey(), e.getValue()); up.addKey(e.getKey(), e.getValue());
} }
// add all trusted plugin keys, so any conflicts with trusted keys
// will be discovered and rejected
Map<String, String> trustedKeys = TrustedPluginKeys.getKeys();
for (Map.Entry<String, String> e : trustedKeys.entrySet()) {
// ignore dups/bad keys
up.addKey(e.getKey(), e.getValue());
}
if (up.haveKey(pubkey)) { if (up.haveKey(pubkey)) {
// the key is already in the TrustedUpdate keyring // the key is already in the TrustedUpdate keyring
// verify the sig and verify that it is signed by the signer in the plugin.config file // verify the sig and verify that it is signed by the signer in the plugin.config file
@ -194,7 +203,7 @@ class PluginUpdateRunner extends UpdateRunner {
statusDone("<b>" + _("Plugin signature verification of {0} failed", url) + "</b>"); statusDone("<b>" + _("Plugin signature verification of {0} failed", url) + "</b>");
return; return;
} }
} else { } else if (_context.getBooleanProperty(PROP_ALLOW_NEW_KEYS)) {
// add to keyring... // add to keyring...
if(!up.addKey(pubkey, signer)) { if(!up.addKey(pubkey, signer)) {
// bad or duplicate key // bad or duplicate key
@ -218,6 +227,14 @@ class PluginUpdateRunner extends UpdateRunner {
statusDone("<b>" + _("Plugin signature verification of {0} failed", url) + "</b>"); statusDone("<b>" + _("Plugin signature verification of {0} failed", url) + "</b>");
return; return;
} }
} else {
// unknown key
f.delete();
to.delete();
_log.error("Untrusted plugin key \"" + pubkey + "\" for plugin signer \"" + signer + "\"");
// don't display signer, we're really checking the key not the signer name
statusDone("<b>" + _("Plugin not installed - signer is untrusted") + "</b>");
return;
} }
String sudVersion = TrustedUpdate.getVersionString(f); String sudVersion = TrustedUpdate.getVersionString(f);

3
apps/routerconsole/java/src/net/i2p/router/web/CSSHelper.java
View File

@ -57,7 +57,8 @@ public class CSSHelper extends HelperBase {
*/ */
public void setLang(String lang) { public void setLang(String lang) {
// Protected with nonce in css.jsi // Protected with nonce in css.jsi
if (lang != null && lang.length() > 0 && lang.length() <= 6) { if (lang != null && lang.length() >= 2 && lang.length() <= 6 &&
lang.replaceAll("[a-zA-Z_]", "").length() == 0) {
Map m = new HashMap(2); Map m = new HashMap(2);
int under = lang.indexOf('_'); int under = lang.indexOf('_');
if (under < 0) { if (under < 0) {

8
apps/routerconsole/java/src/net/i2p/router/web/ConfigAdvancedHandler.java
View File

@ -21,8 +21,10 @@ public class ConfigAdvancedHandler extends FormHandler {
@Override @Override
protected void processForm() { protected void processForm() {
if (_shouldSave) { if (_shouldSave) {
//saveChanges(); if (isAdvanced())
addFormError("Save disabled, edit the router.config file to make changes") ; saveChanges();
else
addFormError("Save disabled, edit the router.config file to make changes") ;
} else { } else {
// noop // noop
} }
@ -31,7 +33,7 @@ public class ConfigAdvancedHandler extends FormHandler {
public void setShouldsave(String moo) { _shouldSave = true; } public void setShouldsave(String moo) { _shouldSave = true; }
//public void setRestart(String moo) { _forceRestart = true; } //public void setRestart(String moo) { _forceRestart = true; }
public void setConfig(String val) { public void setNofilter_config(String val) {
_config = val; _config = val;
} }

5
apps/routerconsole/java/src/net/i2p/router/web/ConfigAdvancedHelper.java
View File

@ -3,6 +3,7 @@ package net.i2p.router.web;
import java.util.Map; import java.util.Map;
import java.util.TreeMap; import java.util.TreeMap;
import net.i2p.data.DataHelper;
public class ConfigAdvancedHelper extends HelperBase { public class ConfigAdvancedHelper extends HelperBase {
public ConfigAdvancedHelper() {} public ConfigAdvancedHelper() {}
@ -12,8 +13,8 @@ public class ConfigAdvancedHelper extends HelperBase {
TreeMap<String, String> sorted = new TreeMap<String, String>(); TreeMap<String, String> sorted = new TreeMap<String, String>();
sorted.putAll(_context.router().getConfigMap()); sorted.putAll(_context.router().getConfigMap());
for (Map.Entry<String, String> e : sorted.entrySet()) { for (Map.Entry<String, String> e : sorted.entrySet()) {
String name = e.getKey(); String name = DataHelper.escapeHTML(e.getKey());
String val = e.getValue(); String val = DataHelper.escapeHTML(e.getValue());
buf.append(name).append('=').append(val).append('\n'); buf.append(name).append('=').append(val).append('\n');
} }
return buf.toString(); return buf.toString();

138
apps/routerconsole/java/src/net/i2p/router/web/ConfigClientsHandler.java
View File

@ -49,17 +49,28 @@ public class ConfigClientsHandler extends FormHandler {
saveWebAppChanges(); saveWebAppChanges();
return; return;
} }
boolean pluginsEnabled = PluginStarter.pluginsEnabled(_context);
if (_action.equals(_("Save Plugin Configuration"))) { if (_action.equals(_("Save Plugin Configuration"))) {
savePluginChanges(); if (pluginsEnabled)
savePluginChanges();
else
addFormError("Plugins disabled");
return; return;
} }
if (_action.equals(_("Install Plugin"))) { if (_action.equals(_("Install Plugin"))) {
//installPlugin(); if (pluginsEnabled &&
addFormError("Plugin installation disabled"); (_context.getBooleanProperty(ConfigClientsHelper.PROP_ENABLE_PLUGIN_INSTALL) ||
isAdvanced()))
installPlugin();
else
addFormError("Plugins disabled");
return; return;
} }
if (_action.equals(_("Update All Installed Plugins"))) { if (_action.equals(_("Update All Installed Plugins"))) {
updateAllPlugins(); if (pluginsEnabled)
updateAllPlugins();
else
addFormError("Plugins disabled");
return; return;
} }
// value // value
@ -73,10 +84,14 @@ public class ConfigClientsHandler extends FormHandler {
startClient(appnum); startClient(appnum);
} else { } else {
List<String> plugins = PluginStarter.getPlugins(); List<String> plugins = PluginStarter.getPlugins();
if (plugins.contains(app)) if (plugins.contains(app)) {
startPlugin(app); if (pluginsEnabled)
else startPlugin(app);
else
addFormError("Plugins disabled");
} else {
startWebApp(app); startWebApp(app);
}
} }
return; return;
} }
@ -90,7 +105,7 @@ public class ConfigClientsHandler extends FormHandler {
} catch (NumberFormatException nfe) {} } catch (NumberFormatException nfe) {}
if (appnum >= 0) { if (appnum >= 0) {
deleteClient(appnum); deleteClient(appnum);
} else { } else if (pluginsEnabled) {
try { try {
PluginStarter.stopPlugin(_context, app); PluginStarter.stopPlugin(_context, app);
} catch (ClassNotFoundException cnfe) { } catch (ClassNotFoundException cnfe) {
@ -108,6 +123,8 @@ public class ConfigClientsHandler extends FormHandler {
addFormError(_("Error deleting plugin {0}", app) + ": " + e); addFormError(_("Error deleting plugin {0}", app) + ": " + e);
_log.error("Error deleting plugin " + app, e); _log.error("Error deleting plugin " + app, e);
} }
} else {
addFormError("Plugins disabled");
} }
return; return;
} }
@ -126,8 +143,12 @@ public class ConfigClientsHandler extends FormHandler {
List<String> plugins = PluginStarter.getPlugins(); List<String> plugins = PluginStarter.getPlugins();
if (plugins.contains(app)) { if (plugins.contains(app)) {
try { try {
PluginStarter.stopPlugin(_context, app); if (pluginsEnabled) {
addFormNotice(_("Stopped plugin {0}", app)); PluginStarter.stopPlugin(_context, app);
addFormNotice(_("Stopped plugin {0}", app));
} else {
addFormError("Plugins disabled");
}
} catch (Throwable e) { } catch (Throwable e) {
addFormError(_("Error stopping plugin {0}", app) + ": " + e); addFormError(_("Error stopping plugin {0}", app) + ": " + e);
_log.error("Error stopping plugin " + app, e); _log.error("Error stopping plugin " + app, e);
@ -142,15 +163,23 @@ public class ConfigClientsHandler extends FormHandler {
// value // value
if (_action.startsWith("Update ")) { if (_action.startsWith("Update ")) {
String app = _action.substring(7); if (pluginsEnabled) {
updatePlugin(app); String app = _action.substring(7);
updatePlugin(app);
} else {
addFormError("Plugins disabled");
}
return; return;
} }
// value // value
if (_action.startsWith("Check ")) { if (_action.startsWith("Check ")) {
String app = _action.substring(6); if (pluginsEnabled) {
checkPlugin(app); String app = _action.substring(6);
checkPlugin(app);
} else {
addFormError("Plugins disabled");
}
return; return;
} }
@ -168,10 +197,14 @@ public class ConfigClientsHandler extends FormHandler {
startClient(appnum); startClient(appnum);
} else { } else {
List<String> plugins = PluginStarter.getPlugins(); List<String> plugins = PluginStarter.getPlugins();
if (plugins.contains(app)) if (plugins.contains(app)) {
startPlugin(app); if (pluginsEnabled)
else startPlugin(app);
else
addFormError("Plugins disabled");
} else {
startWebApp(app); startWebApp(app);
}
} }
} else { } else {
//addFormError(_("Unsupported") + ' ' + _action + '.'); //addFormError(_("Unsupported") + ' ' + _action + '.');
@ -187,45 +220,46 @@ public class ConfigClientsHandler extends FormHandler {
if (! (RouterConsoleRunner.class.getName().equals(ca.className))) if (! (RouterConsoleRunner.class.getName().equals(ca.className)))
ca.disabled = val == null; ca.disabled = val == null;
// edit of an existing entry // edit of an existing entry
// disabled if (_context.getBooleanProperty(ConfigClientsHelper.PROP_ENABLE_CLIENT_CHANGE) ||
/**** isAdvanced()) {
String desc = getJettyString("desc" + cur); String desc = getJettyString("desc" + cur);
if (desc != null) { if (desc != null) {
int spc = desc.indexOf(" "); int spc = desc.indexOf(" ");
String clss = desc; String clss = desc;
String args = null; String args = null;
if (spc >= 0) { if (spc >= 0) {
clss = desc.substring(0, spc); clss = desc.substring(0, spc);
args = desc.substring(spc + 1); args = desc.substring(spc + 1);
}
ca.className = clss;
ca.args = args;
ca.clientName = getJettyString("name" + cur);
} }
ca.className = clss;
ca.args = args;
ca.clientName = getJettyString("name" + cur);
} }
****/
} }
// disabled // new client
/**** if (_context.getBooleanProperty(ConfigClientsHelper.PROP_ENABLE_CLIENT_CHANGE) ||
int newClient = clients.size(); isAdvanced()) {
String newDesc = getJettyString("desc" + newClient); int newClient = clients.size();
if (newDesc != null && newDesc.trim().length() > 0) { String newDesc = getJettyString("desc" + newClient);
// new entry if (newDesc != null && newDesc.trim().length() > 0) {
int spc = newDesc.indexOf(" "); // new entry
String clss = newDesc; int spc = newDesc.indexOf(" ");
String args = null; String clss = newDesc;
if (spc >= 0) { String args = null;
clss = newDesc.substring(0, spc); if (spc >= 0) {
args = newDesc.substring(spc + 1); clss = newDesc.substring(0, spc);
args = newDesc.substring(spc + 1);
}
String name = getJettyString("name" + newClient);
if (name == null || name.trim().length() <= 0) name = "new client";
ClientAppConfig ca = new ClientAppConfig(clss, name, args, 2*60*1000,
_settings.get(newClient + ".enabled") != null);
clients.add(ca);
addFormNotice(_("New client added") + ": " + name + " (" + clss + ").");
} }
String name = getJettyString("name" + newClient);
if (name == null || name.trim().length() <= 0) name = "new client";
ClientAppConfig ca = new ClientAppConfig(clss, name, args, 2*60*1000,
_settings.get(newClient + ".enabled") != null);
clients.add(ca);
addFormNotice(_("New client added") + ": " + name + " (" + clss + ").");
} }
****/
ClientAppConfig.writeClientAppConfig(_context, clients); ClientAppConfig.writeClientAppConfig(_context, clients);
addFormNotice(_("Client configuration saved successfully")); addFormNotice(_("Client configuration saved successfully"));
@ -330,7 +364,7 @@ public class ConfigClientsHandler extends FormHandler {
File path = new File(_context.getBaseDir(), "webapps"); File path = new File(_context.getBaseDir(), "webapps");
path = new File(path, app + ".war"); path = new File(path, app + ".war");
WebAppStarter.startWebApp(_context, s, app, path.getAbsolutePath()); WebAppStarter.startWebApp(_context, s, app, path.getAbsolutePath());
addFormNotice(_("WebApp") + " <a href=\"/" + app + "/\">" + _(app) + "</a> " + _("started") + '.'); addFormNoticeNoEscape(_("WebApp") + " <a href=\"/" + app + "/\">" + _(app) + "</a> " + _("started") + '.');
} catch (Throwable e) { } catch (Throwable e) {
addFormError(_("Failed to start") + ' ' + _(app) + " " + e + '.'); addFormError(_("Failed to start") + ' ' + _(app) + " " + e + '.');
_log.error("Failed to start webapp " + app, e); _log.error("Failed to start webapp " + app, e);
@ -440,7 +474,7 @@ public class ConfigClientsHandler extends FormHandler {
if (intfc != null) if (intfc != null)
changes.put(ClientManagerFacadeImpl.PROP_CLIENT_HOST, intfc); changes.put(ClientManagerFacadeImpl.PROP_CLIENT_HOST, intfc);
String user = getJettyString("user"); String user = getJettyString("user");
String pw = getJettyString("pw"); String pw = getJettyString("nofilter_pw");
if (user != null && pw != null && user.length() > 0 && pw.length() > 0) { if (user != null && pw != null && user.length() > 0 && pw.length() > 0) {
ConsolePasswordManager mgr = new ConsolePasswordManager(_context); ConsolePasswordManager mgr = new ConsolePasswordManager(_context);
mgr.saveHash(ConfigClientsHelper.PROP_AUTH, user, pw); mgr.saveHash(ConfigClientsHelper.PROP_AUTH, user, pw);

32
apps/routerconsole/java/src/net/i2p/router/web/ConfigClientsHelper.java
View File

@ -26,9 +26,22 @@ public class ConfigClientsHelper extends HelperBase {
public static final String PROP_ENABLE_SSL = "i2cp.SSL"; public static final String PROP_ENABLE_SSL = "i2cp.SSL";
/** from ClientMessageEventListener */ /** from ClientMessageEventListener */
public static final String PROP_AUTH = "i2cp.auth"; public static final String PROP_AUTH = "i2cp.auth";
public static final String PROP_ENABLE_CLIENT_CHANGE = "routerconsole.enableClientChange";
public static final String PROP_ENABLE_PLUGIN_INSTALL = "routerconsole.enablePluginInstall";
public ConfigClientsHelper() {} public ConfigClientsHelper() {}
/** @since 0.9.14.1 */
public boolean isClientChangeEnabled() {
return _context.getBooleanProperty(PROP_ENABLE_CLIENT_CHANGE) || isAdvanced();
}
/** @since 0.9.14.1 */
public boolean isPluginInstallEnabled() {
return PluginStarter.pluginsEnabled(_context) &&
(_context.getBooleanProperty(PROP_ENABLE_PLUGIN_INSTALL) || isAdvanced());
}
/** @since 0.8.3 */ /** @since 0.8.3 */
public String getPort() { public String getPort() {
return _context.getProperty(ClientManagerFacadeImpl.PROP_CLIENT_PORT, return _context.getProperty(ClientManagerFacadeImpl.PROP_CLIENT_PORT,
@ -96,6 +109,7 @@ public class ConfigClientsHelper extends HelperBase {
.append(_("Control")).append("</th><th align=\"left\">") .append(_("Control")).append("</th><th align=\"left\">")
.append(_("Class and arguments")).append("</th></tr>\n"); .append(_("Class and arguments")).append("</th></tr>\n");
boolean allowEdit = isClientChangeEnabled();
List<ClientAppConfig> clients = ClientAppConfig.getClientApps(_context); List<ClientAppConfig> clients = ClientAppConfig.getClientApps(_context);
for (int cur = 0; cur < clients.size(); cur++) { for (int cur = 0; cur < clients.size(); cur++) {
ClientAppConfig ca = clients.get(cur); ClientAppConfig ca = clients.get(cur);
@ -117,19 +131,21 @@ public class ConfigClientsHelper extends HelperBase {
// dangerous, but allow editing the console args too // dangerous, but allow editing the console args too
//"webConsole".equals(ca.clientName) || "Web console".equals(ca.clientName), //"webConsole".equals(ca.clientName) || "Web console".equals(ca.clientName),
false, RouterConsoleRunner.class.getName().equals(ca.className), false, RouterConsoleRunner.class.getName().equals(ca.className),
// description, edit // description
ca.className + ((ca.args != null) ? " " + ca.args : ""), /* (""+cur).equals(_edit) */ false, ca.className + ((ca.args != null) ? " " + ca.args : ""),
// edit
allowEdit && (""+cur).equals(_edit),
// show edit button, show update button // show edit button, show update button
// Don't allow edit if it's running, or else we would lose the "handle" to the ClientApp to stop it. // Don't allow edit if it's running, or else we would lose the "handle" to the ClientApp to stop it.
/* !showStop */ false, false, allowEdit && !showStop, false,
// show stop button // show stop button
showStop, showStop,
// show delete button, show start button // show delete button, show start button
!isConsole, showStart); !isConsole, showStart);
} }
//if ("new".equals(_edit)) if (allowEdit && "new".equals(_edit))
// renderForm(buf, "" + clients.size(), "", false, false, false, false, "", true, false, false, false, false, false); renderForm(buf, "" + clients.size(), "", false, false, false, false, "", true, false, false, false, false, false);
buf.append("</table>\n"); buf.append("</table>\n");
return buf.toString(); return buf.toString();
} }
@ -291,9 +307,9 @@ public class ConfigClientsHelper extends HelperBase {
if (showStopButton && (!edit)) if (showStopButton && (!edit))
buf.append("<button type=\"submit\" class=\"Xstop\" name=\"action\" value=\"Stop ").append(index).append("\" >") buf.append("<button type=\"submit\" class=\"Xstop\" name=\"action\" value=\"Stop ").append(index).append("\" >")
.append(_("Stop")).append("<span class=hide> ").append(index).append("</span></button>"); .append(_("Stop")).append("<span class=hide> ").append(index).append("</span></button>");
//if (showEditButton && (!edit) && !ro) if (isClientChangeEnabled() && showEditButton && (!edit) && !ro)
// buf.append("<button type=\"submit\" class=\"Xadd\" name=\"edit\" value=\"Edit ").append(index).append("\" >") buf.append("<button type=\"submit\" class=\"Xadd\" name=\"edit\" value=\"Edit ").append(index).append("\" >")
// .append(_("Edit")).append("<span class=hide> ").append(index).append("</span></button>"); .append(_("Edit")).append("<span class=hide> ").append(index).append("</span></button>");
if (showUpdateButton && (!edit) && !ro) { if (showUpdateButton && (!edit) && !ro) {
buf.append("<button type=\"submit\" class=\"Xcheck\" name=\"action\" value=\"Check ").append(index).append("\" >") buf.append("<button type=\"submit\" class=\"Xcheck\" name=\"action\" value=\"Check ").append(index).append("\" >")
.append(_("Check for updates")).append("<span class=hide> ").append(index).append("</span></button>"); .append(_("Check for updates")).append("<span class=hide> ").append(index).append("</span></button>");

4
apps/routerconsole/java/src/net/i2p/router/web/ConfigReseedHelper.java
View File

@ -26,7 +26,7 @@ public class ConfigReseedHelper extends HelperBase {
} }
/** @since 0.8.9 */ /** @since 0.8.9 */
public String getPassword() { public String getNofilter_password() {
return _context.getProperty(Reseeder.PROP_PROXY_PASSWORD, ""); return _context.getProperty(Reseeder.PROP_PROXY_PASSWORD, "");
} }
@ -46,7 +46,7 @@ public class ConfigReseedHelper extends HelperBase {
} }
/** @since 0.8.9 */ /** @since 0.8.9 */
public String getSpassword() { public String getNofilter_spassword() {
return _context.getProperty(Reseeder.PROP_SPROXY_PASSWORD, ""); return _context.getProperty(Reseeder.PROP_SPROXY_PASSWORD, "");
} }

2
apps/routerconsole/java/src/net/i2p/router/web/ConfigStatsHandler.java
View File

@ -122,7 +122,7 @@ public class ConfigStatsHandler extends FormHandler {
addFormNotice(_("Restart required to take effect")); addFormNotice(_("Restart required to take effect"));
} }
if (graphsChanged) if (graphsChanged)
addFormNotice(_("Graph list updated, may take up to 60s to be reflected on the {0}Graphs Page{1}", "<a href=\"graphs\">", "</a>")); addFormNoticeNoEscape(_("Graph list updated, may take up to 60s to be reflected on the {0}Graphs Page{1}", "<a href=\"graphs\">", "</a>"));
} }
} }

8
apps/routerconsole/java/src/net/i2p/router/web/ConfigUIHandler.java
View File

@ -35,8 +35,12 @@ public class ConfigUIHandler extends FormHandler {
/** note - lang change is handled in CSSHelper but we still need to save it here */ /** note - lang change is handled in CSSHelper but we still need to save it here */
private void saveChanges() { private void saveChanges() {
if (_config == null) if (_config == null || _config.length() <= 0)
return; return;
if (_config.replaceAll("[a-zA-Z0-9_-]", "").length() != 0) {
addFormError("Bad theme name");
return;
}
Map<String, String> changes = new HashMap<String, String>(); Map<String, String> changes = new HashMap<String, String>();
List<String> removes = new ArrayList<String>(); List<String> removes = new ArrayList<String>();
String oldTheme = _context.getProperty(CSSHelper.PROP_THEME_NAME, CSSHelper.DEFAULT_THEME); String oldTheme = _context.getProperty(CSSHelper.PROP_THEME_NAME, CSSHelper.DEFAULT_THEME);
@ -76,7 +80,7 @@ public class ConfigUIHandler extends FormHandler {
addFormError(_("No user name entered")); addFormError(_("No user name entered"));
return; return;
} }
String pw = getJettyString("pw"); String pw = getJettyString("nofilter_pw");
if (pw == null || pw.length() <= 0) { if (pw == null || pw.length() <= 0) {
addFormError(_("No password entered")); addFormError(_("No password entered"));
return; return;

2
apps/routerconsole/java/src/net/i2p/router/web/ConfigUIHelper.java
View File

@ -183,7 +183,7 @@ public class ConfigUIHelper extends HelperBase {
"</td><td align=\"left\"><input type=\"text\" name=\"name\">" + "</td><td align=\"left\"><input type=\"text\" name=\"name\">" +
"</td><td align=\"left\"><b>"); "</td><td align=\"left\"><b>");
buf.append(_("Password")).append(":</b> " + buf.append(_("Password")).append(":</b> " +
"<input type=\"password\" size=\"40\" name=\"pw\"></td></tr>" + "<input type=\"password\" size=\"40\" name=\"nofilter_pw\"></td></tr>" +
"</table>\n"); "</table>\n");
return buf.toString(); return buf.toString();
} }

33
apps/routerconsole/java/src/net/i2p/router/web/ConfigUpdateHandler.java
View File

@ -173,11 +173,14 @@ public class ConfigUpdateHandler extends FormHandler {
_newsThroughProxy = false; _newsThroughProxy = false;
String oldURL = ConfigUpdateHelper.getNewsURL(_context); String oldURL = ConfigUpdateHelper.getNewsURL(_context);
if ( (oldURL == null) || (!_newsURL.equals(oldURL)) ) { if ( (oldURL == null) || (!_newsURL.equals(oldURL)) ) {
//changes.put(PROP_NEWS_URL, _newsURL); if (isAdvanced()) {
// this invalidates the news changes.put(PROP_NEWS_URL, _newsURL);
//changes.put(NewsHelper.PROP_LAST_CHECKED, "0"); // this invalidates the news
//addFormNotice(_("Updating news URL to {0}", _newsURL)); changes.put(NewsHelper.PROP_LAST_CHECKED, "0");
addFormError("Changing news URL disabled"); addFormNotice(_("Updating news URL to {0}", _newsURL));
} else {
addFormError("Changing news URL disabled");
}
} }
} }
@ -199,7 +202,8 @@ public class ConfigUpdateHandler extends FormHandler {
changes.put(PROP_SHOULD_PROXY, Boolean.toString(_updateThroughProxy)); changes.put(PROP_SHOULD_PROXY, Boolean.toString(_updateThroughProxy));
changes.put(PROP_SHOULD_PROXY_NEWS, Boolean.toString(_newsThroughProxy)); changes.put(PROP_SHOULD_PROXY_NEWS, Boolean.toString(_newsThroughProxy));
changes.put(PROP_UPDATE_UNSIGNED, Boolean.toString(_updateUnsigned)); if (isAdvanced())
changes.put(PROP_UPDATE_UNSIGNED, Boolean.toString(_updateUnsigned));
String oldFreqStr = _context.getProperty(PROP_REFRESH_FREQUENCY, DEFAULT_REFRESH_FREQUENCY); String oldFreqStr = _context.getProperty(PROP_REFRESH_FREQUENCY, DEFAULT_REFRESH_FREQUENCY);
long oldFreq = DEFAULT_REFRESH_FREQ; long oldFreq = DEFAULT_REFRESH_FREQ;
@ -233,17 +237,24 @@ public class ConfigUpdateHandler extends FormHandler {
oldKeys = oldKeys.replace("\r\n", ","); oldKeys = oldKeys.replace("\r\n", ",");
if (!_trustedKeys.equals(oldKeys)) { if (!_trustedKeys.equals(oldKeys)) {
// note that keys are not validated here and no console error message will be generated // note that keys are not validated here and no console error message will be generated
changes.put(PROP_TRUSTED_KEYS, _trustedKeys); if (isAdvanced()) {
addFormNotice(_("Updating trusted keys.")); changes.put(PROP_TRUSTED_KEYS, _trustedKeys);
addFormNotice(_("Updating trusted keys."));
} else {
addFormError("Changing trusted keys disabled");
}
} }
} }
if ( (_zipURL != null) && (_zipURL.length() > 0) ) { if ( (_zipURL != null) && (_zipURL.length() > 0) ) {
String oldURL = _context.router().getConfigSetting(PROP_ZIP_URL); String oldURL = _context.router().getConfigSetting(PROP_ZIP_URL);
if ( (oldURL == null) || (!_zipURL.equals(oldURL)) ) { if ( (oldURL == null) || (!_zipURL.equals(oldURL)) ) {
//changes.put(PROP_ZIP_URL, _zipURL); if (isAdvanced()) {
//addFormNotice(_("Updating unsigned update URL to {0}", _zipURL)); changes.put(PROP_ZIP_URL, _zipURL);
addFormError("Changing unsigned update URL disabled"); addFormNotice(_("Updating unsigned update URL to {0}", _zipURL));
} else {
addFormError("Changing unsigned update URL disabled");
}
} }
} }

31
apps/routerconsole/java/src/net/i2p/router/web/FormHandler.java
View File

@ -51,8 +51,8 @@ public abstract class FormHandler {
} }
} }
public void setNonce(String val) { _nonce = DataHelper.stripHTML(val); } public void setNonce(String val) { _nonce = val == null ? null : DataHelper.stripHTML(val); }
public void setAction(String val) { _action = DataHelper.stripHTML(val); } public void setAction(String val) { _action = val == null ? null : DataHelper.stripHTML(val); }
/** /**
* For many forms, it's easiest just to put all the parameters here. * For many forms, it's easiest just to put all the parameters here.
@ -61,6 +61,14 @@ public abstract class FormHandler {
*/ */
public void setSettings(Map settings) { _settings = new HashMap(settings); } public void setSettings(Map settings) { _settings = new HashMap(settings); }
/**
* Same as HelperBase
* @since 0.9.14.1
*/
public boolean isAdvanced() {
return _context.getBooleanProperty(HelperBase.PROP_ADVANCED);
}
/** /**
* setSettings() must have been called previously * setSettings() must have been called previously
* Curses Jetty for returning arrays. * Curses Jetty for returning arrays.
@ -102,16 +110,31 @@ public abstract class FormHandler {
/** /**
* Add an error message to display * Add an error message to display
* Use if it does not include a link.
* Escapes '<' and '>' before queueing
*/ */
protected void addFormError(String errorMsg) { protected void addFormError(String errorMsg) {
if (errorMsg == null) return; if (errorMsg == null) return;
_errors.add(errorMsg); _errors.add(DataHelper.escapeHTML(errorMsg));
} }
/** /**
* Add a non-error message to display * Add a non-error message to display
* Use if it does not include a link.
* Escapes '<' and '>' before queueing
*/ */
protected void addFormNotice(String msg) { protected void addFormNotice(String msg) {
if (msg == null) return;
_notices.add(DataHelper.escapeHTML(msg));
}
/**
* Add a non-error message to display
* Use if it includes a link or other formatting.
* Does not escape '<' and '>' before queueing
* @since 0.9.14.1
*/
protected void addFormNoticeNoEscape(String msg) {
if (msg == null) return; if (msg == null) return;
_notices.add(msg); _notices.add(msg);
} }
@ -180,7 +203,7 @@ public abstract class FormHandler {
} }
// To prevent actions with GET, jsps must call storeMethod() // To prevent actions with GET, jsps must call storeMethod()
if (_method != null && !"POST".equals(_method)) { if (_method != null && !"POST".equals(_method)) {
addFormError("Invalid form submission, requires POST not " + _method); addFormError("Invalid form submission, requires POST");
_valid = false; _valid = false;
return; return;
} }

8
apps/routerconsole/java/src/net/i2p/router/web/SummaryHelper.java
View File

@ -818,19 +818,19 @@ public class SummaryHelper extends HelperBase {
/* below here is stuff we need to get from summarynoframe.jsp to SummaryBarRenderer */ /* below here is stuff we need to get from summarynoframe.jsp to SummaryBarRenderer */
private String _action; private String _action;
public void setAction(String s) { _action = DataHelper.stripHTML(s); } public void setAction(String s) { _action = s == null ? null : DataHelper.stripHTML(s); }
public String getAction() { return _action; } public String getAction() { return _action; }
private String _consoleNonce; private String _consoleNonce;
public void setConsoleNonce(String s) { _consoleNonce = DataHelper.stripHTML(s); } public void setConsoleNonce(String s) { _consoleNonce = s == null ? null : DataHelper.stripHTML(s); }
public String getConsoleNonce() { return _consoleNonce; } public String getConsoleNonce() { return _consoleNonce; }
private String _updateNonce; private String _updateNonce;
public void setUpdateNonce(String s) { _updateNonce = DataHelper.stripHTML(s); } public void setUpdateNonce(String s) { _updateNonce = s == null ? null : DataHelper.stripHTML(s); }
public String getUpdateNonce() { return _updateNonce; } public String getUpdateNonce() { return _updateNonce; }
private String _requestURI; private String _requestURI;
public void setRequestURI(String s) { _requestURI = DataHelper.stripHTML(s); } public void setRequestURI(String s) { _requestURI = s == null ? null : DataHelper.stripHTML(s); }
/** /**
* @return non-null; "/home" if (strangely) not set by jsp * @return non-null; "/home" if (strangely) not set by jsp

11
apps/routerconsole/jsp/configadvanced.jsp
View File

@ -24,19 +24,20 @@
<%@include file="formhandler.jsi" %> <%@include file="formhandler.jsi" %>
<div class="configure"> <div class="configure">
<div class="wideload"> <div class="wideload">
<!-- <% if (advancedhelper.isAdvanced()) { %>
<form action="" method="POST"> <form action="" method="POST">
<input type="hidden" name="nonce" value="<%=pageNonce%>" > <input type="hidden" name="nonce" value="<%=pageNonce%>" >
<input type="hidden" name="action" value="blah" > <input type="hidden" name="action" value="blah" >
--> <% } // isAdvanced %>
<h3><%=intl._("Advanced I2P Configuration")%></h3> <h3><%=intl._("Advanced I2P Configuration")%></h3>
<textarea rows="32" cols="60" name="config" wrap="off" spellcheck="false" readonly="readonly"><jsp:getProperty name="advancedhelper" property="settings" /></textarea><br><hr> <textarea rows="32" cols="60" name="nofilter_config" wrap="off" spellcheck="false" <% if (!advancedhelper.isAdvanced()) { %>readonly="readonly"<% } %>><jsp:getProperty name="advancedhelper" property="settings" /></textarea><br><hr>
<!-- <% if (advancedhelper.isAdvanced()) { %>
<div class="formaction"> <div class="formaction">
<input type="reset" class="cancel" value="<%=intl._("Cancel")%>" > <input type="reset" class="cancel" value="<%=intl._("Cancel")%>" >
<input type="submit" name="shouldsave" class="accept" value="<%=intl._("Save changes")%>" > <input type="submit" name="shouldsave" class="accept" value="<%=intl._("Save changes")%>" >
<br><b><%=intl._("NOTE")%>:</b> <%=intl._("Some changes may require a restart to take effect.")%> <br><b><%=intl._("NOTE")%>:</b> <%=intl._("Some changes may require a restart to take effect.")%>
</div></form> </div></form>
--> <% } else { %>
To make changes, edit the router.config file. To make changes, edit the router.config file.
<% } // isAdvanced %>
</div></div></div></body></html> </div></div></div></body></html>

12
apps/routerconsole/jsp/configclients.jsp
View File

@ -39,7 +39,7 @@ input.default { width: 1px; height: 1px; visibility: hidden; }
<%=intl._("All changes require restart to take effect.")%></i> <%=intl._("All changes require restart to take effect.")%></i>
</p><hr><div class="formaction"> </p><hr><div class="formaction">
<input type="submit" class="cancel" name="foo" value="<%=intl._("Cancel")%>" /> <input type="submit" class="cancel" name="foo" value="<%=intl._("Cancel")%>" />
<% if (false && request.getParameter("edit") == null) { %> <% if (clientshelper.isClientChangeEnabled() && request.getParameter("edit") == null) { %>
<input type="submit" name="edit" class="add" value="<%=intl._("Add Client")%>" /> <input type="submit" name="edit" class="add" value="<%=intl._("Add Client")%>" />
<% } %> <% } %>
<input type="submit" class="accept" name="action" value="<%=intl._("Save Client Configuration")%>" /> <input type="submit" class="accept" name="action" value="<%=intl._("Save Client Configuration")%>" />
@ -80,7 +80,7 @@ input.default { width: 1px; height: 1px; visibility: hidden; }
<%=intl._("Username")%>: <%=intl._("Username")%>:
<input name="user" type="text" value="" /><br> <input name="user" type="text" value="" /><br>
<%=intl._("Password")%>: <%=intl._("Password")%>:
<input name="pw" type="password" value="" /><br> <input name="nofilter_pw" type="password" value="" /><br>
</p><p><b><%=intl._("The default settings will work for most people.")%></b> </p><p><b><%=intl._("The default settings will work for most people.")%></b>
<%=intl._("Any changes made here must also be configured in the external client.")%> <%=intl._("Any changes made here must also be configured in the external client.")%>
<%=intl._("Many clients do not support SSL or authorization.")%> <%=intl._("Many clients do not support SSL or authorization.")%>
@ -117,7 +117,7 @@ input.default { width: 1px; height: 1px; visibility: hidden; }
<input type="submit" name="action" class="accept" value="<%=intl._("Save Plugin Configuration")%>" /> <input type="submit" name="action" class="accept" value="<%=intl._("Save Plugin Configuration")%>" />
</div></form></div> </div></form></div>
<!-- <% if (clientshelper.isPluginInstallEnabled()) { %>
<h3><a name="plugin"></a><%=intl._("Plugin Installation")%></h3><p> <h3><a name="plugin"></a><%=intl._("Plugin Installation")%></h3><p>
<%=intl._("Look for available plugins on {0}.", "<a href=\"http://plugins.i2p\">plugins.i2p</a>")%> <%=intl._("Look for available plugins on {0}.", "<a href=\"http://plugins.i2p\">plugins.i2p</a>")%>
<%=intl._("To install a plugin, enter the download URL:")%> <%=intl._("To install a plugin, enter the download URL:")%>
@ -133,6 +133,8 @@ input.default { width: 1px; height: 1px; visibility: hidden; }
</div><hr><div class="formaction"> </div><hr><div class="formaction">
<input type="submit" name="action" class="reload" value="<%=intl._("Update All Installed Plugins")%>" /> <input type="submit" name="action" class="reload" value="<%=intl._("Update All Installed Plugins")%>" />
</div></form></div> </div></form></div>
--> <%
<% } %> } // pluginInstallEnabled
} // showPlugins
%>
</div></div></body></html> </div></div></body></html>

4
apps/routerconsole/jsp/configreseed.jsp
View File

@ -52,7 +52,7 @@
<tr><td class="mediumtags" align="right"><b><%=intl._("HTTP Proxy Username")%>:</b></td> <tr><td class="mediumtags" align="right"><b><%=intl._("HTTP Proxy Username")%>:</b></td>
<td><input name="username" type="text" value="<jsp:getProperty name="reseedHelper" property="username" />" ></td></tr> <td><input name="username" type="text" value="<jsp:getProperty name="reseedHelper" property="username" />" ></td></tr>
<tr><td class="mediumtags" align="right"><b><%=intl._("HTTP Proxy Password")%>:</b></td> <tr><td class="mediumtags" align="right"><b><%=intl._("HTTP Proxy Password")%>:</b></td>
<td><input name="password" type="password" value="<jsp:getProperty name="reseedHelper" property="password" />" ></td></tr> <td><input name="nofilter_password" type="password" value="<jsp:getProperty name="reseedHelper" property="nofilter_password" />" ></td></tr>
<!-- TODO Need SSLEepGet support <!-- TODO Need SSLEepGet support
<tr><td class="mediumtags" align="right"><b><%=intl._("Enable HTTPS Proxy?")%></b></td> <tr><td class="mediumtags" align="right"><b><%=intl._("Enable HTTPS Proxy?")%></b></td>
@ -67,7 +67,7 @@
<tr><td class="mediumtags" align="right"><b><%=intl._("HTTPS Proxy Username")%>:</b></td> <tr><td class="mediumtags" align="right"><b><%=intl._("HTTPS Proxy Username")%>:</b></td>
<td><input name="susername" type="text" value="<jsp:getProperty name="reseedHelper" property="susername" />" ></td></tr> <td><input name="susername" type="text" value="<jsp:getProperty name="reseedHelper" property="susername" />" ></td></tr>
<tr><td class="mediumtags" align="right"><b><%=intl._("HTTPS Proxy Password")%>:</b></td> <tr><td class="mediumtags" align="right"><b><%=intl._("HTTPS Proxy Password")%>:</b></td>
<td><input name="spassword" type="password" value="<jsp:getProperty name="reseedHelper" property="spassword" />" ></td></tr> <td><input name="nofilter_spassword" type="password" value="<jsp:getProperty name="reseedHelper" property="nofilter_spassword" />" ></td></tr>
--> -->
</table></div> </table></div>

6
apps/routerconsole/jsp/configupdate.jsp
View File

@ -41,7 +41,7 @@
<% } %></td></tr> <% } %></td></tr>
<tr><td colspan="2"><br></td></tr> <tr><td colspan="2"><br></td></tr>
<tr><td class="mediumtags" align="right"><b><%=intl._("News URL")%>:</b></td> <tr><td class="mediumtags" align="right"><b><%=intl._("News URL")%>:</b></td>
<td><input type="text" size="60" name="newsURL" readonly="readonly" value="<jsp:getProperty name="updatehelper" property="newsURL" />"></td> <td><input type="text" size="60" name="newsURL" <% if (!updatehelper.isAdvanced()) { %>readonly="readonly"<% } %> value="<jsp:getProperty name="updatehelper" property="newsURL" />"></td>
</tr><tr><td class="mediumtags" align="right"><b><%=intl._("Refresh frequency")%>:</b> </tr><tr><td class="mediumtags" align="right"><b><%=intl._("Refresh frequency")%>:</b>
<td><jsp:getProperty name="updatehelper" property="refreshFrequencySelectBox" /></td></tr> <td><jsp:getProperty name="updatehelper" property="refreshFrequencySelectBox" /></td></tr>
<% if (updatehelper.canInstall()) { %> <% if (updatehelper.canInstall()) { %>
@ -64,13 +64,11 @@
<td><textarea cols="60" rows="6" name="updateURL" wrap="off" spellcheck="false"><jsp:getProperty name="updatehelper" property="updateURL" /></textarea></td> <td><textarea cols="60" rows="6" name="updateURL" wrap="off" spellcheck="false"><jsp:getProperty name="updatehelper" property="updateURL" /></textarea></td>
</tr><tr><td class="mediumtags" align="right"><b><%=intl._("Trusted keys")%>:</b></td> </tr><tr><td class="mediumtags" align="right"><b><%=intl._("Trusted keys")%>:</b></td>
<td><textarea cols="60" rows="6" name="trustedKeys" wrap="off" spellcheck="false"><jsp:getProperty name="updatehelper" property="trustedKeys" /></textarea></td></tr> <td><textarea cols="60" rows="6" name="trustedKeys" wrap="off" spellcheck="false"><jsp:getProperty name="updatehelper" property="trustedKeys" /></textarea></td></tr>
<% } // if isAdvanced %>
<!--
<tr><td id="unsignedbuild" class="mediumtags" align="right"><b><%=intl._("Update with unsigned development builds?")%></b></td> <tr><td id="unsignedbuild" class="mediumtags" align="right"><b><%=intl._("Update with unsigned development builds?")%></b></td>
<td><jsp:getProperty name="updatehelper" property="updateUnsigned" /></td> <td><jsp:getProperty name="updatehelper" property="updateUnsigned" /></td>
</tr><tr><td class="mediumtags" align="right"><b><%=intl._("Unsigned Build URL")%>:</b></td> </tr><tr><td class="mediumtags" align="right"><b><%=intl._("Unsigned Build URL")%>:</b></td>
<td><input type="text" size="60" name="zipURL" value="<jsp:getProperty name="updatehelper" property="zipURL" />"></td></tr> <td><input type="text" size="60" name="zipURL" value="<jsp:getProperty name="updatehelper" property="zipURL" />"></td></tr>
--> <% } // if isAdvanced %>
<% } else { %> <% } else { %>
<tr><td class="mediumtags" align="center" colspan="2"><b><%=intl._("Updates will be dispatched via your package manager.")%></b></td></tr> <tr><td class="mediumtags" align="center" colspan="2"><b><%=intl._("Updates will be dispatched via your package manager.")%></b></td></tr>
<% } // if canInstall %> <% } // if canInstall %>

4
apps/routerconsole/jsp/flags.jsp
View File

@ -12,7 +12,9 @@
* with headers set so the browser caches. * with headers set so the browser caches.
*/ */
String c = request.getParameter("c"); String c = request.getParameter("c");
if (c != null && c.length() > 0) { if (c != null &&
(c.length() == 2 || c.length() == 7) &&
c.replaceAll("[a-z_]", "").length() == 0) {
java.io.OutputStream cout = response.getOutputStream(); java.io.OutputStream cout = response.getOutputStream();
String base = net.i2p.I2PAppContext.getGlobalContext().getBaseDir().getAbsolutePath(); String base = net.i2p.I2PAppContext.getGlobalContext().getBaseDir().getAbsolutePath();
String file = "docs" + java.io.File.separatorChar + "icons" + java.io.File.separatorChar + String file = "docs" + java.io.File.separatorChar + "icons" + java.io.File.separatorChar +

5
apps/routerconsole/jsp/viewprofile.jsp
View File

@ -14,10 +14,11 @@
<div class="main" id="main"><div class="wideload"> <div class="main" id="main"><div class="wideload">
<% <%
String peerB64 = request.getParameter("peer"); String peerB64 = request.getParameter("peer");
if (peerB64 == null || peerB64.length() <= 0) { if (peerB64 == null || peerB64.length() <= 0 ||
peerB64.replaceAll("[a-zA-Z0-9~=-]", "").length() != 0) {
out.print("No peer specified"); out.print("No peer specified");
} else { } else {
peerB64 = net.i2p.data.DataHelper.stripHTML(peerB64); // XSS
%> %>
<jsp:useBean id="stathelper" class="net.i2p.router.web.StatHelper" /> <jsp:useBean id="stathelper" class="net.i2p.router.web.StatHelper" />
<jsp:setProperty name="stathelper" property="contextId" value="<%=(String)session.getAttribute(\"i2p.contextId\")%>" /> <jsp:setProperty name="stathelper" property="contextId" value="<%=(String)session.getAttribute(\"i2p.contextId\")%>" />

11
history.txt
View File

@ -1,3 +1,14 @@
2014-08-03 zzz
* Console:
- Fix update buttons
- Don't filter parameter names starting with "nofilter_"
- Re-allow configadvanced, news URL, and unsigned update URL if routerconsole.advanced=true
- Re-allow plugin install if routerconsole.advanced=true or routerconsole.enablePluginInstall=true
- Only allow whitelisted plugin signers, unless routerconsole.allowUntrustedPlugins=true
- Re-allow clients.config changes if routerconsole.advanced=true or routerconsole.enableClientChange=true
- More escaping
* i2psnark: Fix add torrent form
2014-07-31 zzz 2014-07-31 zzz
* ExecNamingService: Remove * ExecNamingService: Remove
* Plugins: Add whitelist of keys * Plugins: Add whitelist of keys

4
router/java/src/net/i2p/router/RouterVersion.java
View File

@ -18,10 +18,10 @@ public class RouterVersion {
/** deprecated */ /** deprecated */
public final static String ID = "Monotone"; public final static String ID = "Monotone";
public final static String VERSION = CoreVersion.VERSION; public final static String VERSION = CoreVersion.VERSION;
public final static long BUILD = 1; public final static long BUILD = 2;
/** for example "-test" */ /** for example "-test" */
public final static String EXTRA = ""; public final static String EXTRA = "-rc";
public final static String FULL_VERSION = VERSION + "-" + BUILD + EXTRA; public final static String FULL_VERSION = VERSION + "-" + BUILD + EXTRA;
public static void main(String args[]) { public static void main(String args[]) {
System.out.println("I2P Router version: " + FULL_VERSION); System.out.println("I2P Router version: " + FULL_VERSION);