echelon/i2p.i2p
1
0
Fork 0
forked from I2P_Developers/i2p.i2p
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

* Console:

Browse Source 
- Fix update buttons
   - Don't filter parameter names starting with "nofilter_"
   - Re-allow configadvanced, news URL, and unsigned update URL if routerconsole.advanced=true
   - Re-allow plugin install if routerconsole.advanced=true or routerconsole.enablePluginInstall=true
   - Only allow whitelisted plugin signers, unless routerconsole.allowUntrustedPlugins=true
   - Re-allow clients.config changes if routerconsole.advanced=true or routerconsole.enableClientChange=true
   - More escaping
 * i2psnark: Fix add torrent form
This commit is contained in:
zzz
2014-08-03 13:58:51 +00:00
parent bf9c4b2346
commit b28eb708a4
26 changed files with 289 additions and 131 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
apps/i2psnark/java/src/org/klomp/snark/SnarkManager.java
View File

@ -241,7 +241,20 @@ public class SnarkManager implements CompleteListener {
private static final int MAX_MESSAGES = 100;
/**
* Use if it does not include a link.
* Escapes '<' and '>' before queueing
*/
public void addMessage(String message) {
addMessageNoEscape(message.replace("<", "&lt;").replace(">", "&gt;"));
}
/**
* Use if it includes a link.
* Does not escape '<' and '>' before queueing
* @since 0.9.14.1
*/
public void addMessageNoEscape(String message) {
_messages.offer(message);
while (_messages.size() > MAX_MESSAGES) {
_messages.poll();
@ -579,7 +592,7 @@ public class SnarkManager implements CompleteListener {
}
if (dataDir != null && !dataDir.equals(getDataDir().getAbsolutePath())) {
dataDir = dataDir.trim();
dataDir = DataHelper.stripHTML(dataDir.trim());
File dd = new File(dataDir);
if (!dd.isAbsolute()) {
addMessage(_("Data directory must be an absolute path") + ": " + dataDir);
@ -609,7 +622,7 @@ public class SnarkManager implements CompleteListener {
}
Map<String, String> opts = new HashMap<String, String>();
if (i2cpOpts == null) i2cpOpts = "";
i2cpOpts = DataHelper.stripHTML(i2cpOpts);
StringTokenizer tok = new StringTokenizer(i2cpOpts, " \t\n");
while (tok.hasMoreTokens()) {
String pair = tok.nextToken();

29
apps/i2psnark/java/src/org/klomp/snark/web/I2PSnarkServlet.java
View File

@ -711,7 +711,7 @@ public class I2PSnarkServlet extends BasicServlet {
// return;
//}
if ("Add".equals(action)) {
String newURL = req.getParameter("newURL");
String newURL = req.getParameter("nofilter_newURL");
/******
// NOTE - newFile currently disabled in HTML form - see below
File f = null;
@ -747,7 +747,13 @@ public class I2PSnarkServlet extends BasicServlet {
} else
*****/
if (newURL != null) {
if (newURL.startsWith("http://")) {
if (newURL.contains("<") || newURL.contains(">") ||
newURL.contains("%3C") || newURL.contains("%3E") ||
newURL.contains("%3c") || newURL.contains("%3e") ||
newURL.contains("\"") || newURL.contains("'") ||
newURL.contains("%22") || newURL.contains("%27")) {
_manager.addMessage("Invalid URL");
} else if (newURL.startsWith("http://")) {
FetchAndAdd fetch = new FetchAndAdd(_context, _manager, newURL);
_manager.addDownloader(fetch);
} else if (newURL.startsWith(MagnetURI.MAGNET) || newURL.startsWith(MagnetURI.MAGGOT)) {
@ -937,7 +943,7 @@ public class I2PSnarkServlet extends BasicServlet {
if (k.startsWith("backup_")) {
String url = k.substring(7);
if (!url.equals(announceURL))
backupURLs.add(url);
backupURLs.add(DataHelper.stripHTML(url));
}
}
List<List<String>> announceList = null;
@ -1036,7 +1042,7 @@ public class I2PSnarkServlet extends BasicServlet {
Tracker t;
if ((t = trackers.remove(k)) != null) {
removed.add(t.announceURL);
_manager.addMessage(_("Removed") + ": " + k);
_manager.addMessage(_("Removed") + ": " + DataHelper.stripHTML(k));
changed = true;
}
} else if (k.startsWith("open_")) {
@ -1070,9 +1076,9 @@ public class I2PSnarkServlet extends BasicServlet {
String hurl = req.getParameter("thurl");
String aurl = req.getParameter("taurl");
if (name != null && hurl != null && aurl != null) {
name = name.trim();
hurl = hurl.trim();
aurl = aurl.trim().replace("=", "&#61;");
name = DataHelper.stripHTML(name.trim());
hurl = DataHelper.stripHTML(hurl.trim());
aurl = DataHelper.stripHTML(aurl.trim()).replace("=", "&#61;");
if (name.length() > 0 && hurl.startsWith("http://") && TrackerClient.isValidAnnounce(aurl)) {
Map<String, Tracker> trackers = _manager.getTrackerMap();
trackers.put(name, new Tracker(name, aurl, hurl));
@ -1716,7 +1722,7 @@ public class I2PSnarkServlet extends BasicServlet {
private void writeAddForm(PrintWriter out, HttpServletRequest req) throws IOException {
// display incoming parameter if a GET so links will work
String newURL = req.getParameter("newURL");
String newURL = req.getParameter("nofilter_newURL");
if (newURL == null || newURL.trim().length() <= 0 || req.getMethod().equals("POST"))
newURL = "";
else
@ -1732,13 +1738,13 @@ public class I2PSnarkServlet extends BasicServlet {
// don't lose peer setting
String peerParam = req.getParameter("p");
if (peerParam != null)
out.write("<input type=\"hidden\" name=\"p\" value=\"" + peerParam + "\" >\n");
out.write("<input type=\"hidden\" name=\"p\" value=\"" + DataHelper.stripHTML(peerParam) + "\" >\n");
out.write("<div class=\"addtorrentsection\"><span class=\"snarkConfigTitle\">");
out.write("<img alt=\"\" border=\"0\" src=\"" + _imgPath + "add.png\"> ");
out.write(_("Add Torrent"));
out.write("</span><hr>\n<table border=\"0\"><tr><td>");
out.write(_("From URL"));
out.write(":<td><input type=\"text\" name=\"newURL\" size=\"85\" value=\"" + newURL + "\" spellcheck=\"false\"");
out.write(":<td><input type=\"text\" name=\"nofilter_newURL\" size=\"85\" value=\"" + newURL + "\" spellcheck=\"false\"");
out.write(" title=\"");
out.write(_("Enter the torrent file download URL (I2P only), magnet link, maggot link, or info hash"));
out.write("\"> \n");
@ -1770,7 +1776,7 @@ public class I2PSnarkServlet extends BasicServlet {
// don't lose peer setting
String peerParam = req.getParameter("p");
if (peerParam != null)
out.write("<input type=\"hidden\" name=\"p\" value=\"" + peerParam + "\" >\n");
out.write("<input type=\"hidden\" name=\"p\" value=\"" + DataHelper.stripHTML(peerParam) + "\" >\n");
out.write("<span class=\"snarkConfigTitle\">");
out.write("<img alt=\"\" border=\"0\" src=\"" + _imgPath + "create.png\"> ");
out.write(_("Create Torrent"));
@ -2202,6 +2208,7 @@ public class I2PSnarkServlet extends BasicServlet {
/** @since 0.8.13 */
private static String urlEncode(String s) {
return s.replace(";", "%3B").replace("&", "&amp;").replace(" ", "%20")
.replace("<", "&lt;").replace(">", "&gt;")
.replace("[", "%5B").replace("]", "%5D");
}

4
apps/i2ptunnel/java/src/net/i2p/i2ptunnel/web/IndexBean.java
View File

@ -927,7 +927,7 @@ public class IndexBean {
_newProxyUser = s.trim();
}
public void setProxyPassword(String s) {
public void setNofilter_proxyPassword(String s) {
if (s != null)
_newProxyPW = s.trim();
}
@ -941,7 +941,7 @@ public class IndexBean {
_otherOptions.put(I2PTunnelHTTPClientBase.PROP_OUTPROXY_USER, s.trim());
}
public void setOutproxyPassword(String s) {
public void setNofilter_outproxyPassword(String s) {
if (s != null)
_otherOptions.put(I2PTunnelHTTPClientBase.PROP_OUTPROXY_PW, s.trim());
}

4
apps/i2ptunnel/jsp/editClient.jsp
View File

@ -540,7 +540,7 @@ input.default { width: 1px; height: 1px; visibility: hidden; }
<label>
<%=intl._("Password")%>:
</label>
<input type="password" id="clientPort" name="proxyPassword" title="Set password for this service" value="" class="freetext" />
<input type="password" id="clientPort" name="nofilter_proxyPassword" title="Set password for this service" value="" class="freetext" />
</div>
<div class="subdivider">
<hr />
@ -564,7 +564,7 @@ input.default { width: 1px; height: 1px; visibility: hidden; }
<label>
<%=intl._("Password")%>:
</label>
<input type="password" id="clientPort" name="outproxyPassword" title="Enter password required by outproxy" value="<%=editBean.getOutproxyPassword(curTunnel)%>" class="freetext" />
<input type="password" id="clientPort" name="nofilter_outproxyPassword" title="Enter password required by outproxy" value="<%=editBean.getOutproxyPassword(curTunnel)%>" class="freetext" />
</div>
<div class="subdivider">
<hr />

14
apps/jetty/java/src/net/i2p/servlet/filters/XSSRequestWrapper.java
View File

@ -21,14 +21,20 @@ public class XSSRequestWrapper extends HttpServletRequestWrapper {
// Adapted from https://owasp-esapi-java.googlecode.com/svn/trunk/configuration/esapi/ESAPI.properties
private static final Pattern parameterValuePattern = Pattern.compile("^[\\p{L}\\p{Nd}.,:\\-\\/+=~\\[\\]?@_ \r\n]*$");
private static final Pattern headerValuePattern = Pattern.compile("^[a-zA-Z0-9()\\-=\\*\\.\\?;,+\\/:&_ ]*$");
private static final String NOFILTER = "nofilter_";
public XSSRequestWrapper(HttpServletRequest servletRequest) {
super(servletRequest);
}
/**
* Parameter names starting with "nofilter_" will not be filtered.
*/
@Override
public String[] getParameterValues(String parameter) {
String[] values = super.getParameterValues(parameter);
if (parameter.startsWith(NOFILTER))
return values;
if (values == null) {
return null;
@ -58,9 +64,14 @@ public class XSSRequestWrapper extends HttpServletRequestWrapper {
return encodedValues;
}
/**
* Parameter names starting with "nofilter_" will not be filtered.
*/
@Override
public String getParameter(String parameter) {
String value = super.getParameter(parameter);
if (parameter.startsWith(NOFILTER))
return value;
String rv = stripXSS(value, parameterValuePattern);
if (value != null && rv == null) {
Log log = I2PAppContext.getGlobalContext().logManager().getLog(XSSRequestWrapper.class);
@ -69,6 +80,9 @@ public class XSSRequestWrapper extends HttpServletRequestWrapper {
return rv;
}
/**
* Parameter names starting with "nofilter_" will not be filtered.
*/
@Override
public Map getParameterMap() {
Map rv = new HashMap();

21
apps/routerconsole/java/src/net/i2p/router/update/PluginUpdateRunner.java
View File

@ -54,6 +54,7 @@ class PluginUpdateRunner extends UpdateRunner {
private static final String XPI2P = "app.xpi2p";
private static final String ZIP = XPI2P + ".zip";
public static final String PLUGIN_DIR = PluginStarter.PLUGIN_DIR;
private static final String PROP_ALLOW_NEW_KEYS = "routerconsole.allowUntrustedPlugins";
public PluginUpdateRunner(RouterContext ctx, ConsoleUpdateManager mgr, List<URI> uris,
String appName, String oldVersion ) {
@ -162,7 +163,7 @@ class PluginUpdateRunner extends UpdateRunner {
// ok, now we check sigs and deal with a bad sig
String pubkey = props.getProperty("key");
String signer = props.getProperty("signer");
String signer = DataHelper.stripHTML(props.getProperty("signer"));
if (pubkey == null || signer == null || pubkey.length() != 172 || signer.length() <= 0) {
f.delete();
to.delete();
@ -179,6 +180,14 @@ class PluginUpdateRunner extends UpdateRunner {
up.addKey(e.getKey(), e.getValue());
}
// add all trusted plugin keys, so any conflicts with trusted keys
// will be discovered and rejected
Map<String, String> trustedKeys = TrustedPluginKeys.getKeys();
for (Map.Entry<String, String> e : trustedKeys.entrySet()) {
// ignore dups/bad keys
up.addKey(e.getKey(), e.getValue());
}
if (up.haveKey(pubkey)) {
// the key is already in the TrustedUpdate keyring
// verify the sig and verify that it is signed by the signer in the plugin.config file
@ -194,7 +203,7 @@ class PluginUpdateRunner extends UpdateRunner {
statusDone("<b>" + _("Plugin signature verification of {0} failed", url) + "</b>");
return;
}
} else {
} else if (_context.getBooleanProperty(PROP_ALLOW_NEW_KEYS)) {
// add to keyring...
if(!up.addKey(pubkey, signer)) {
// bad or duplicate key
@ -218,6 +227,14 @@ class PluginUpdateRunner extends UpdateRunner {
statusDone("<b>" + _("Plugin signature verification of {0} failed", url) + "</b>");
return;
}
} else {
// unknown key
f.delete();
to.delete();
_log.error("Untrusted plugin key \"" + pubkey + "\" for plugin signer \"" + signer + "\"");
// don't display signer, we're really checking the key not the signer name
statusDone("<b>" + _("Plugin not installed - signer is untrusted") + "</b>");
return;
}
String sudVersion = TrustedUpdate.getVersionString(f);

3
apps/routerconsole/java/src/net/i2p/router/web/CSSHelper.java
View File

@ -57,7 +57,8 @@ public class CSSHelper extends HelperBase {
*/
public void setLang(String lang) {
// Protected with nonce in css.jsi
if (lang != null && lang.length() > 0 && lang.length() <= 6) {
if (lang != null && lang.length() >= 2 && lang.length() <= 6 &&
lang.replaceAll("[a-zA-Z_]", "").length() == 0) {
Map m = new HashMap(2);
int under = lang.indexOf('_');
if (under < 0) {

6
apps/routerconsole/java/src/net/i2p/router/web/ConfigAdvancedHandler.java
View File

@ -21,7 +21,9 @@ public class ConfigAdvancedHandler extends FormHandler {
@Override
protected void processForm() {
if (_shouldSave) {
//saveChanges();
if (isAdvanced())
saveChanges();
else
addFormError("Save disabled, edit the router.config file to make changes") ;
} else {
// noop
@ -31,7 +33,7 @@ public class ConfigAdvancedHandler extends FormHandler {
public void setShouldsave(String moo) { _shouldSave = true; }
//public void setRestart(String moo) { _forceRestart = true; }
public void setConfig(String val) {
public void setNofilter_config(String val) {
_config = val;
}

5
apps/routerconsole/java/src/net/i2p/router/web/ConfigAdvancedHelper.java
View File

@ -3,6 +3,7 @@ package net.i2p.router.web;
import java.util.Map;
import java.util.TreeMap;
import net.i2p.data.DataHelper;
public class ConfigAdvancedHelper extends HelperBase {
public ConfigAdvancedHelper() {}
@ -12,8 +13,8 @@ public class ConfigAdvancedHelper extends HelperBase {
TreeMap<String, String> sorted = new TreeMap<String, String>();
sorted.putAll(_context.router().getConfigMap());
for (Map.Entry<String, String> e : sorted.entrySet()) {
String name = e.getKey();
String val = e.getValue();
String name = DataHelper.escapeHTML(e.getKey());
String val = DataHelper.escapeHTML(e.getValue());
buf.append(name).append('=').append(val).append('\n');
}
return buf.toString();

60
apps/routerconsole/java/src/net/i2p/router/web/ConfigClientsHandler.java
View File

@ -49,17 +49,28 @@ public class ConfigClientsHandler extends FormHandler {
saveWebAppChanges();
return;
}
boolean pluginsEnabled = PluginStarter.pluginsEnabled(_context);
if (_action.equals(_("Save Plugin Configuration"))) {
if (pluginsEnabled)
savePluginChanges();
else
addFormError("Plugins disabled");
return;
}
if (_action.equals(_("Install Plugin"))) {
//installPlugin();
addFormError("Plugin installation disabled");
if (pluginsEnabled &&
(_context.getBooleanProperty(ConfigClientsHelper.PROP_ENABLE_PLUGIN_INSTALL) ||
isAdvanced()))
installPlugin();
else
addFormError("Plugins disabled");
return;
}
if (_action.equals(_("Update All Installed Plugins"))) {
if (pluginsEnabled)
updateAllPlugins();
else
addFormError("Plugins disabled");
return;
}
// value
@ -73,11 +84,15 @@ public class ConfigClientsHandler extends FormHandler {
startClient(appnum);
} else {
List<String> plugins = PluginStarter.getPlugins();
if (plugins.contains(app))
if (plugins.contains(app)) {
if (pluginsEnabled)
startPlugin(app);
else
addFormError("Plugins disabled");
} else {
startWebApp(app);
}
}
return;
}
@ -90,7 +105,7 @@ public class ConfigClientsHandler extends FormHandler {
} catch (NumberFormatException nfe) {}
if (appnum >= 0) {
deleteClient(appnum);
} else {
} else if (pluginsEnabled) {
try {
PluginStarter.stopPlugin(_context, app);
} catch (ClassNotFoundException cnfe) {
@ -108,6 +123,8 @@ public class ConfigClientsHandler extends FormHandler {
addFormError(_("Error deleting plugin {0}", app) + ": " + e);
_log.error("Error deleting plugin " + app, e);
}
} else {
addFormError("Plugins disabled");
}
return;
}
@ -126,8 +143,12 @@ public class ConfigClientsHandler extends FormHandler {
List<String> plugins = PluginStarter.getPlugins();
if (plugins.contains(app)) {
try {
if (pluginsEnabled) {
PluginStarter.stopPlugin(_context, app);
addFormNotice(_("Stopped plugin {0}", app));
} else {
addFormError("Plugins disabled");
}
} catch (Throwable e) {
addFormError(_("Error stopping plugin {0}", app) + ": " + e);
_log.error("Error stopping plugin " + app, e);
@ -142,15 +163,23 @@ public class ConfigClientsHandler extends FormHandler {
// value
if (_action.startsWith("Update ")) {
if (pluginsEnabled) {
String app = _action.substring(7);
updatePlugin(app);
} else {
addFormError("Plugins disabled");
}
return;
}
// value
if (_action.startsWith("Check ")) {
if (pluginsEnabled) {
String app = _action.substring(6);
checkPlugin(app);
} else {
addFormError("Plugins disabled");
}
return;
}
@ -168,11 +197,15 @@ public class ConfigClientsHandler extends FormHandler {
startClient(appnum);
} else {
List<String> plugins = PluginStarter.getPlugins();
if (plugins.contains(app))
if (plugins.contains(app)) {
if (pluginsEnabled)
startPlugin(app);
else
addFormError("Plugins disabled");
} else {
startWebApp(app);
}
}
} else {
//addFormError(_("Unsupported") + ' ' + _action + '.');
}
@ -187,8 +220,8 @@ public class ConfigClientsHandler extends FormHandler {
if (! (RouterConsoleRunner.class.getName().equals(ca.className)))
ca.disabled = val == null;
// edit of an existing entry
// disabled
/****
if (_context.getBooleanProperty(ConfigClientsHelper.PROP_ENABLE_CLIENT_CHANGE) ||
isAdvanced()) {
String desc = getJettyString("desc" + cur);
if (desc != null) {
int spc = desc.indexOf(" ");
@ -202,11 +235,12 @@ public class ConfigClientsHandler extends FormHandler {
ca.args = args;
ca.clientName = getJettyString("name" + cur);
}
****/
}
}
// disabled
/****
// new client
if (_context.getBooleanProperty(ConfigClientsHelper.PROP_ENABLE_CLIENT_CHANGE) ||
isAdvanced()) {
int newClient = clients.size();
String newDesc = getJettyString("desc" + newClient);
if (newDesc != null && newDesc.trim().length() > 0) {
@ -225,7 +259,7 @@ public class ConfigClientsHandler extends FormHandler {
clients.add(ca);
addFormNotice(_("New client added") + ": " + name + " (" + clss + ").");
}
****/
}
ClientAppConfig.writeClientAppConfig(_context, clients);
addFormNotice(_("Client configuration saved successfully"));
@ -330,7 +364,7 @@ public class ConfigClientsHandler extends FormHandler {
File path = new File(_context.getBaseDir(), "webapps");
path = new File(path, app + ".war");
WebAppStarter.startWebApp(_context, s, app, path.getAbsolutePath());
addFormNotice(_("WebApp") + " <a href=\"/" + app + "/\">" + _(app) + "</a> " + _("started") + '.');
addFormNoticeNoEscape(_("WebApp") + " <a href=\"/" + app + "/\">" + _(app) + "</a> " + _("started") + '.');
} catch (Throwable e) {
addFormError(_("Failed to start") + ' ' + _(app) + " " + e + '.');
_log.error("Failed to start webapp " + app, e);
@ -440,7 +474,7 @@ public class ConfigClientsHandler extends FormHandler {
if (intfc != null)
changes.put(ClientManagerFacadeImpl.PROP_CLIENT_HOST, intfc);
String user = getJettyString("user");
String pw = getJettyString("pw");
String pw = getJettyString("nofilter_pw");
if (user != null && pw != null && user.length() > 0 && pw.length() > 0) {
ConsolePasswordManager mgr = new ConsolePasswordManager(_context);
mgr.saveHash(ConfigClientsHelper.PROP_AUTH, user, pw);

32
apps/routerconsole/java/src/net/i2p/router/web/ConfigClientsHelper.java
View File

@ -26,9 +26,22 @@ public class ConfigClientsHelper extends HelperBase {
public static final String PROP_ENABLE_SSL = "i2cp.SSL";
/** from ClientMessageEventListener */
public static final String PROP_AUTH = "i2cp.auth";
public static final String PROP_ENABLE_CLIENT_CHANGE = "routerconsole.enableClientChange";
public static final String PROP_ENABLE_PLUGIN_INSTALL = "routerconsole.enablePluginInstall";
public ConfigClientsHelper() {}
/** @since 0.9.14.1 */
public boolean isClientChangeEnabled() {
return _context.getBooleanProperty(PROP_ENABLE_CLIENT_CHANGE) || isAdvanced();
}
/** @since 0.9.14.1 */
public boolean isPluginInstallEnabled() {
return PluginStarter.pluginsEnabled(_context) &&
(_context.getBooleanProperty(PROP_ENABLE_PLUGIN_INSTALL) || isAdvanced());
}
/** @since 0.8.3 */
public String getPort() {
return _context.getProperty(ClientManagerFacadeImpl.PROP_CLIENT_PORT,
@ -96,6 +109,7 @@ public class ConfigClientsHelper extends HelperBase {
.append(_("Control")).append("</th><th align=\"left\">")
.append(_("Class and arguments")).append("</th></tr>\n");
boolean allowEdit = isClientChangeEnabled();
List<ClientAppConfig> clients = ClientAppConfig.getClientApps(_context);
for (int cur = 0; cur < clients.size(); cur++) {
ClientAppConfig ca = clients.get(cur);
@ -117,19 +131,21 @@ public class ConfigClientsHelper extends HelperBase {
// dangerous, but allow editing the console args too
//"webConsole".equals(ca.clientName) || "Web console".equals(ca.clientName),
false, RouterConsoleRunner.class.getName().equals(ca.className),
// description, edit
ca.className + ((ca.args != null) ? " " + ca.args : ""), /* (""+cur).equals(_edit) */ false,
// description
ca.className + ((ca.args != null) ? " " + ca.args : ""),
// edit
allowEdit && (""+cur).equals(_edit),
// show edit button, show update button
// Don't allow edit if it's running, or else we would lose the "handle" to the ClientApp to stop it.
/* !showStop */ false, false,
allowEdit && !showStop, false,
// show stop button
showStop,
// show delete button, show start button
!isConsole, showStart);
}
//if ("new".equals(_edit))
// renderForm(buf, "" + clients.size(), "", false, false, false, false, "", true, false, false, false, false, false);
if (allowEdit && "new".equals(_edit))
renderForm(buf, "" + clients.size(), "", false, false, false, false, "", true, false, false, false, false, false);
buf.append("</table>\n");
return buf.toString();
}
@ -291,9 +307,9 @@ public class ConfigClientsHelper extends HelperBase {
if (showStopButton && (!edit))
buf.append("<button type=\"submit\" class=\"Xstop\" name=\"action\" value=\"Stop ").append(index).append("\" >")
.append(_("Stop")).append("<span class=hide> ").append(index).append("</span></button>");
//if (showEditButton && (!edit) && !ro)
// buf.append("<button type=\"submit\" class=\"Xadd\" name=\"edit\" value=\"Edit ").append(index).append("\" >")
// .append(_("Edit")).append("<span class=hide> ").append(index).append("</span></button>");
if (isClientChangeEnabled() && showEditButton && (!edit) && !ro)
buf.append("<button type=\"submit\" class=\"Xadd\" name=\"edit\" value=\"Edit ").append(index).append("\" >")
.append(_("Edit")).append("<span class=hide> ").append(index).append("</span></button>");
if (showUpdateButton && (!edit) && !ro) {
buf.append("<button type=\"submit\" class=\"Xcheck\" name=\"action\" value=\"Check ").append(index).append("\" >")
.append(_("Check for updates")).append("<span class=hide> ").append(index).append("</span></button>");

4
apps/routerconsole/java/src/net/i2p/router/web/ConfigReseedHelper.java
View File

@ -26,7 +26,7 @@ public class ConfigReseedHelper extends HelperBase {
}
/** @since 0.8.9 */
public String getPassword() {
public String getNofilter_password() {
return _context.getProperty(Reseeder.PROP_PROXY_PASSWORD, "");
}
@ -46,7 +46,7 @@ public class ConfigReseedHelper extends HelperBase {
}
/** @since 0.8.9 */
public String getSpassword() {
public String getNofilter_spassword() {
return _context.getProperty(Reseeder.PROP_SPROXY_PASSWORD, "");
}

2
apps/routerconsole/java/src/net/i2p/router/web/ConfigStatsHandler.java
View File

@ -122,7 +122,7 @@ public class ConfigStatsHandler extends FormHandler {
addFormNotice(_("Restart required to take effect"));
}
if (graphsChanged)
addFormNotice(_("Graph list updated, may take up to 60s to be reflected on the {0}Graphs Page{1}", "<a href=\"graphs\">", "</a>"));
addFormNoticeNoEscape(_("Graph list updated, may take up to 60s to be reflected on the {0}Graphs Page{1}", "<a href=\"graphs\">", "</a>"));
}
}

8
apps/routerconsole/java/src/net/i2p/router/web/ConfigUIHandler.java
View File

@ -35,8 +35,12 @@ public class ConfigUIHandler extends FormHandler {
/** note - lang change is handled in CSSHelper but we still need to save it here */
private void saveChanges() {
if (_config == null)
if (_config == null || _config.length() <= 0)
return;
if (_config.replaceAll("[a-zA-Z0-9_-]", "").length() != 0) {
addFormError("Bad theme name");
return;
}
Map<String, String> changes = new HashMap<String, String>();
List<String> removes = new ArrayList<String>();
String oldTheme = _context.getProperty(CSSHelper.PROP_THEME_NAME, CSSHelper.DEFAULT_THEME);
@ -76,7 +80,7 @@ public class ConfigUIHandler extends FormHandler {
addFormError(_("No user name entered"));
return;
}
String pw = getJettyString("pw");
String pw = getJettyString("nofilter_pw");
if (pw == null || pw.length() <= 0) {
addFormError(_("No password entered"));
return;

2
apps/routerconsole/java/src/net/i2p/router/web/ConfigUIHelper.java
View File

@ -183,7 +183,7 @@ public class ConfigUIHelper extends HelperBase {
"</td><td align=\"left\"><input type=\"text\" name=\"name\">" +
"</td><td align=\"left\"><b>");
buf.append(_("Password")).append(":</b> " +
"<input type=\"password\" size=\"40\" name=\"pw\"></td></tr>" +
"<input type=\"password\" size=\"40\" name=\"nofilter_pw\"></td></tr>" +
"</table>\n");
return buf.toString();
}

21
apps/routerconsole/java/src/net/i2p/router/web/ConfigUpdateHandler.java
View File

@ -173,13 +173,16 @@ public class ConfigUpdateHandler extends FormHandler {
_newsThroughProxy = false;
String oldURL = ConfigUpdateHelper.getNewsURL(_context);
if ( (oldURL == null) || (!_newsURL.equals(oldURL)) ) {
//changes.put(PROP_NEWS_URL, _newsURL);
if (isAdvanced()) {
changes.put(PROP_NEWS_URL, _newsURL);
// this invalidates the news
//changes.put(NewsHelper.PROP_LAST_CHECKED, "0");
//addFormNotice(_("Updating news URL to {0}", _newsURL));
changes.put(NewsHelper.PROP_LAST_CHECKED, "0");
addFormNotice(_("Updating news URL to {0}", _newsURL));
} else {
addFormError("Changing news URL disabled");
}
}
}
if (_proxyHost != null && _proxyHost.length() > 0 && !_proxyHost.equals(_("internal"))) {
String oldHost = _context.router().getConfigSetting(PROP_PROXY_HOST);
@ -199,6 +202,7 @@ public class ConfigUpdateHandler extends FormHandler {
changes.put(PROP_SHOULD_PROXY, Boolean.toString(_updateThroughProxy));
changes.put(PROP_SHOULD_PROXY_NEWS, Boolean.toString(_newsThroughProxy));
if (isAdvanced())
changes.put(PROP_UPDATE_UNSIGNED, Boolean.toString(_updateUnsigned));
String oldFreqStr = _context.getProperty(PROP_REFRESH_FREQUENCY, DEFAULT_REFRESH_FREQUENCY);
@ -233,19 +237,26 @@ public class ConfigUpdateHandler extends FormHandler {
oldKeys = oldKeys.replace("\r\n", ",");
if (!_trustedKeys.equals(oldKeys)) {
// note that keys are not validated here and no console error message will be generated
if (isAdvanced()) {
changes.put(PROP_TRUSTED_KEYS, _trustedKeys);
addFormNotice(_("Updating trusted keys."));
} else {
addFormError("Changing trusted keys disabled");
}
}
}
if ( (_zipURL != null) && (_zipURL.length() > 0) ) {
String oldURL = _context.router().getConfigSetting(PROP_ZIP_URL);
if ( (oldURL == null) || (!_zipURL.equals(oldURL)) ) {
//changes.put(PROP_ZIP_URL, _zipURL);
//addFormNotice(_("Updating unsigned update URL to {0}", _zipURL));
if (isAdvanced()) {
changes.put(PROP_ZIP_URL, _zipURL);
addFormNotice(_("Updating unsigned update URL to {0}", _zipURL));
} else {
addFormError("Changing unsigned update URL disabled");
}
}
}
_context.router().saveConfig(changes, null);
}

31
apps/routerconsole/java/src/net/i2p/router/web/FormHandler.java
View File

@ -51,8 +51,8 @@ public abstract class FormHandler {
}
}
public void setNonce(String val) { _nonce = DataHelper.stripHTML(val); }
public void setAction(String val) { _action = DataHelper.stripHTML(val); }
public void setNonce(String val) { _nonce = val == null ? null : DataHelper.stripHTML(val); }
public void setAction(String val) { _action = val == null ? null : DataHelper.stripHTML(val); }
/**
* For many forms, it's easiest just to put all the parameters here.
@ -61,6 +61,14 @@ public abstract class FormHandler {
*/
public void setSettings(Map settings) { _settings = new HashMap(settings); }
/**
* Same as HelperBase
* @since 0.9.14.1
*/
public boolean isAdvanced() {
return _context.getBooleanProperty(HelperBase.PROP_ADVANCED);
}
/**
* setSettings() must have been called previously
* Curses Jetty for returning arrays.
@ -102,16 +110,31 @@ public abstract class FormHandler {
/**
* Add an error message to display
* Use if it does not include a link.
* Escapes '<' and '>' before queueing
*/
protected void addFormError(String errorMsg) {
if (errorMsg == null) return;
_errors.add(errorMsg);
_errors.add(DataHelper.escapeHTML(errorMsg));
}
/**
* Add a non-error message to display
* Use if it does not include a link.
* Escapes '<' and '>' before queueing
*/
protected void addFormNotice(String msg) {
if (msg == null) return;
_notices.add(DataHelper.escapeHTML(msg));
}
/**
* Add a non-error message to display
* Use if it includes a link or other formatting.
* Does not escape '<' and '>' before queueing
* @since 0.9.14.1
*/
protected void addFormNoticeNoEscape(String msg) {
if (msg == null) return;
_notices.add(msg);
}
@ -180,7 +203,7 @@ public abstract class FormHandler {
}
// To prevent actions with GET, jsps must call storeMethod()
if (_method != null && !"POST".equals(_method)) {
addFormError("Invalid form submission, requires POST not " + _method);
addFormError("Invalid form submission, requires POST");
_valid = false;
return;
}

8
apps/routerconsole/java/src/net/i2p/router/web/SummaryHelper.java
View File

@ -818,19 +818,19 @@ public class SummaryHelper extends HelperBase {
/* below here is stuff we need to get from summarynoframe.jsp to SummaryBarRenderer */
private String _action;
public void setAction(String s) { _action = DataHelper.stripHTML(s); }
public void setAction(String s) { _action = s == null ? null : DataHelper.stripHTML(s); }
public String getAction() { return _action; }
private String _consoleNonce;
public void setConsoleNonce(String s) { _consoleNonce = DataHelper.stripHTML(s); }
public void setConsoleNonce(String s) { _consoleNonce = s == null ? null : DataHelper.stripHTML(s); }
public String getConsoleNonce() { return _consoleNonce; }
private String _updateNonce;
public void setUpdateNonce(String s) { _updateNonce = DataHelper.stripHTML(s); }
public void setUpdateNonce(String s) { _updateNonce = s == null ? null : DataHelper.stripHTML(s); }
public String getUpdateNonce() { return _updateNonce; }
private String _requestURI;
public void setRequestURI(String s) { _requestURI = DataHelper.stripHTML(s); }
public void setRequestURI(String s) { _requestURI = s == null ? null : DataHelper.stripHTML(s); }
/**
* @return non-null; "/home" if (strangely) not set by jsp

11
apps/routerconsole/jsp/configadvanced.jsp
View File

@ -24,19 +24,20 @@
<%@include file="formhandler.jsi" %>
<div class="configure">
<div class="wideload">
<!--
<% if (advancedhelper.isAdvanced()) { %>
<form action="" method="POST">
<input type="hidden" name="nonce" value="<%=pageNonce%>" >
<input type="hidden" name="action" value="blah" >
-->
<% } // isAdvanced %>
<h3><%=intl._("Advanced I2P Configuration")%></h3>
<textarea rows="32" cols="60" name="config" wrap="off" spellcheck="false" readonly="readonly"><jsp:getProperty name="advancedhelper" property="settings" /></textarea><br><hr>
<!--
<textarea rows="32" cols="60" name="nofilter_config" wrap="off" spellcheck="false" <% if (!advancedhelper.isAdvanced()) { %>readonly="readonly"<% } %>><jsp:getProperty name="advancedhelper" property="settings" /></textarea><br><hr>
<% if (advancedhelper.isAdvanced()) { %>
<div class="formaction">
<input type="reset" class="cancel" value="<%=intl._("Cancel")%>" >
<input type="submit" name="shouldsave" class="accept" value="<%=intl._("Save changes")%>" >
<br><b><%=intl._("NOTE")%>:</b> <%=intl._("Some changes may require a restart to take effect.")%>
</div></form>
-->
<% } else { %>
To make changes, edit the router.config file.
<% } // isAdvanced %>
</div></div></div></body></html>

12
apps/routerconsole/jsp/configclients.jsp
View File

@ -39,7 +39,7 @@ input.default { width: 1px; height: 1px; visibility: hidden; }
<%=intl._("All changes require restart to take effect.")%></i>
</p><hr><div class="formaction">
<input type="submit" class="cancel" name="foo" value="<%=intl._("Cancel")%>" />
<% if (false && request.getParameter("edit") == null) { %>
<% if (clientshelper.isClientChangeEnabled() && request.getParameter("edit") == null) { %>
<input type="submit" name="edit" class="add" value="<%=intl._("Add Client")%>" />
<% } %>
<input type="submit" class="accept" name="action" value="<%=intl._("Save Client Configuration")%>" />
@ -80,7 +80,7 @@ input.default { width: 1px; height: 1px; visibility: hidden; }
<%=intl._("Username")%>:
<input name="user" type="text" value="" /><br>
<%=intl._("Password")%>:
<input name="pw" type="password" value="" /><br>
<input name="nofilter_pw" type="password" value="" /><br>
</p><p><b><%=intl._("The default settings will work for most people.")%></b>
<%=intl._("Any changes made here must also be configured in the external client.")%>
<%=intl._("Many clients do not support SSL or authorization.")%>
@ -117,7 +117,7 @@ input.default { width: 1px; height: 1px; visibility: hidden; }
<input type="submit" name="action" class="accept" value="<%=intl._("Save Plugin Configuration")%>" />
</div></form></div>
<!--
<% if (clientshelper.isPluginInstallEnabled()) { %>
<h3><a name="plugin"></a><%=intl._("Plugin Installation")%></h3><p>
<%=intl._("Look for available plugins on {0}.", "<a href=\"http://plugins.i2p\">plugins.i2p</a>")%>
<%=intl._("To install a plugin, enter the download URL:")%>
@ -133,6 +133,8 @@ input.default { width: 1px; height: 1px; visibility: hidden; }
</div><hr><div class="formaction">
<input type="submit" name="action" class="reload" value="<%=intl._("Update All Installed Plugins")%>" />
</div></form></div>
-->
<% } %>
<%
} // pluginInstallEnabled
} // showPlugins
%>
</div></div></body></html>

4
apps/routerconsole/jsp/configreseed.jsp
View File

@ -52,7 +52,7 @@
<tr><td class="mediumtags" align="right"><b><%=intl._("HTTP Proxy Username")%>:</b></td>
<td><input name="username" type="text" value="<jsp:getProperty name="reseedHelper" property="username" />" ></td></tr>
<tr><td class="mediumtags" align="right"><b><%=intl._("HTTP Proxy Password")%>:</b></td>
<td><input name="password" type="password" value="<jsp:getProperty name="reseedHelper" property="password" />" ></td></tr>
<td><input name="nofilter_password" type="password" value="<jsp:getProperty name="reseedHelper" property="nofilter_password" />" ></td></tr>
<!-- TODO Need SSLEepGet support
<tr><td class="mediumtags" align="right"><b><%=intl._("Enable HTTPS Proxy?")%></b></td>
@ -67,7 +67,7 @@
<tr><td class="mediumtags" align="right"><b><%=intl._("HTTPS Proxy Username")%>:</b></td>
<td><input name="susername" type="text" value="<jsp:getProperty name="reseedHelper" property="susername" />" ></td></tr>
<tr><td class="mediumtags" align="right"><b><%=intl._("HTTPS Proxy Password")%>:</b></td>
<td><input name="spassword" type="password" value="<jsp:getProperty name="reseedHelper" property="spassword" />" ></td></tr>
<td><input name="nofilter_spassword" type="password" value="<jsp:getProperty name="reseedHelper" property="nofilter_spassword" />" ></td></tr>
-->
</table></div>

6
apps/routerconsole/jsp/configupdate.jsp
View File

@ -41,7 +41,7 @@
<% } %></td></tr>
<tr><td colspan="2"><br></td></tr>
<tr><td class="mediumtags" align="right"><b><%=intl._("News URL")%>:</b></td>
<td><input type="text" size="60" name="newsURL" readonly="readonly" value="<jsp:getProperty name="updatehelper" property="newsURL" />"></td>
<td><input type="text" size="60" name="newsURL" <% if (!updatehelper.isAdvanced()) { %>readonly="readonly"<% } %> value="<jsp:getProperty name="updatehelper" property="newsURL" />"></td>
</tr><tr><td class="mediumtags" align="right"><b><%=intl._("Refresh frequency")%>:</b>
<td><jsp:getProperty name="updatehelper" property="refreshFrequencySelectBox" /></td></tr>
<% if (updatehelper.canInstall()) { %>
@ -64,13 +64,11 @@
<td><textarea cols="60" rows="6" name="updateURL" wrap="off" spellcheck="false"><jsp:getProperty name="updatehelper" property="updateURL" /></textarea></td>
</tr><tr><td class="mediumtags" align="right"><b><%=intl._("Trusted keys")%>:</b></td>
<td><textarea cols="60" rows="6" name="trustedKeys" wrap="off" spellcheck="false"><jsp:getProperty name="updatehelper" property="trustedKeys" /></textarea></td></tr>
<% } // if isAdvanced %>
<!--
<tr><td id="unsignedbuild" class="mediumtags" align="right"><b><%=intl._("Update with unsigned development builds?")%></b></td>
<td><jsp:getProperty name="updatehelper" property="updateUnsigned" /></td>
</tr><tr><td class="mediumtags" align="right"><b><%=intl._("Unsigned Build URL")%>:</b></td>
<td><input type="text" size="60" name="zipURL" value="<jsp:getProperty name="updatehelper" property="zipURL" />"></td></tr>
-->
<% } // if isAdvanced %>
<% } else { %>
<tr><td class="mediumtags" align="center" colspan="2"><b><%=intl._("Updates will be dispatched via your package manager.")%></b></td></tr>
<% } // if canInstall %>

4
apps/routerconsole/jsp/flags.jsp
View File

@ -12,7 +12,9 @@
* with headers set so the browser caches.
*/
String c = request.getParameter("c");
if (c != null && c.length() > 0) {
if (c != null &&
(c.length() == 2 || c.length() == 7) &&
c.replaceAll("[a-z_]", "").length() == 0) {
java.io.OutputStream cout = response.getOutputStream();
String base = net.i2p.I2PAppContext.getGlobalContext().getBaseDir().getAbsolutePath();
String file = "docs" + java.io.File.separatorChar + "icons" + java.io.File.separatorChar +

5
apps/routerconsole/jsp/viewprofile.jsp
View File

@ -14,10 +14,11 @@
<div class="main" id="main"><div class="wideload">
<%
String peerB64 = request.getParameter("peer");
if (peerB64 == null || peerB64.length() <= 0) {
if (peerB64 == null || peerB64.length() <= 0 ||
peerB64.replaceAll("[a-zA-Z0-9~=-]", "").length() != 0) {
out.print("No peer specified");
} else {
peerB64 = net.i2p.data.DataHelper.stripHTML(peerB64); // XSS
%>
<jsp:useBean id="stathelper" class="net.i2p.router.web.StatHelper" />
<jsp:setProperty name="stathelper" property="contextId" value="<%=(String)session.getAttribute(\"i2p.contextId\")%>" />

11
history.txt
View File

@ -1,3 +1,14 @@
2014-08-03 zzz
* Console:
- Fix update buttons
- Don't filter parameter names starting with "nofilter_"
- Re-allow configadvanced, news URL, and unsigned update URL if routerconsole.advanced=true
- Re-allow plugin install if routerconsole.advanced=true or routerconsole.enablePluginInstall=true
- Only allow whitelisted plugin signers, unless routerconsole.allowUntrustedPlugins=true
- Re-allow clients.config changes if routerconsole.advanced=true or routerconsole.enableClientChange=true
- More escaping
* i2psnark: Fix add torrent form
2014-07-31 zzz
* ExecNamingService: Remove
* Plugins: Add whitelist of keys

4
router/java/src/net/i2p/router/RouterVersion.java
View File

@ -18,10 +18,10 @@ public class RouterVersion {
/** deprecated */
public final static String ID = "Monotone";
public final static String VERSION = CoreVersion.VERSION;
public final static long BUILD = 1;
public final static long BUILD = 2;
/** for example "-test" */
public final static String EXTRA = "";
public final static String EXTRA = "-rc";
public final static String FULL_VERSION = VERSION + "-" + BUILD + EXTRA;
public static void main(String args[]) {
System.out.println("I2P Router version: " + FULL_VERSION);