Changeset af575d6


Ignore:
Timestamp:
Jul 26, 2014 9:32:26 AM (7 years ago)
Author:
zzz <zzz@…>
Branches:
master
Children:
58578d90
Parents:
e9c8748
Message:
  • Console:
    • Fix several XSS issues (thx Aaron Portnoy of Exodus Intel)
    • Add Content-Security-Policy and X-XSS-Protection headers
    • Disable changing news feed URL from UI
    • Disable plugin install from UI
    • Disable setting unsigned update URL from UI
    • Disable /configadvanced
  • DataHelper?: Disallow \r in storeProps() (thx joernchen of Phenoelit)
  • ExecNamingService?: Disable (thx joernchen of Phenoelit)
  • Startup: Add susimail.config to migrated files
Files:
32 edited

Legend:

Unmodified
Added
Removed
  • apps/i2psnark/java/src/org/klomp/snark/web/I2PSnarkServlet.java

    re9c8748 raf575d6  
    160160        String path = req.getServletPath();
    161161        resp.setHeader("X-Frame-Options", "SAMEORIGIN");
     162        resp.setHeader("Content-Security-Policy", "default-src 'self'");
     163        resp.setHeader("X-XSS-Protection", "1; mode=block");
    162164
    163165        String peerParam = req.getParameter("p");
     
    168170            peerString = "";
    169171        } else {
    170             peerString = "?p=" + peerParam;
     172            peerString = "?p=" + DataHelper.stripHTML(peerParam);
    171173        }
    172174        if (stParam != null && !stParam.equals("0")) {
     175            stParam = DataHelper.stripHTML(stParam);
    173176            if (peerString.length() > 0)
    174177                peerString += "&amp;st=" + stParam;
  • apps/i2ptunnel/jsp/edit.jsp

    re9c8748 raf575d6  
    33
    44    response.setHeader("X-Frame-Options", "SAMEORIGIN");
     5    response.setHeader("Content-Security-Policy", "default-src 'self'");
     6    response.setHeader("X-XSS-Protection", "1; mode=block");
    57
    68%><%@page pageEncoding="UTF-8"
  • apps/i2ptunnel/jsp/editClient.jsp

    re9c8748 raf575d6  
    5353                } else {
    5454                    tunnelTypeName = editBean.getTypeName(request.getParameter("type"));
    55                     tunnelType = request.getParameter("type");
     55                    tunnelType = net.i2p.data.DataHelper.stripHTML(request.getParameter("type"));
    5656                  %><h4><%=intl._("New proxy settings")%></h4><%
    5757                } %>
    58                 <input type="hidden" name="tunnel" value="<%=request.getParameter("tunnel")%>" />
     58                <input type="hidden" name="tunnel" value="<%=curTunnel%>" />
    5959                <input type="hidden" name="nonce" value="<%=editBean.getNextNonce()%>" />
    6060                <input type="hidden" name="type" value="<%=tunnelType%>" />
  • apps/i2ptunnel/jsp/editServer.jsp

    re9c8748 raf575d6  
    5353                } else {
    5454                    tunnelTypeName = editBean.getTypeName(request.getParameter("type"));
    55                     tunnelType = request.getParameter("type");
     55                    tunnelType = net.i2p.data.DataHelper.stripHTML(request.getParameter("type"));
    5656                  %><h4><%=intl._("New server settings")%></h4><%
    5757                } %>
    58                 <input type="hidden" name="tunnel" value="<%=request.getParameter("tunnel")%>" />
     58                <input type="hidden" name="tunnel" value="<%=curTunnel%>" />
    5959                <input type="hidden" name="nonce" value="<%=editBean.getNextNonce()%>" />
    6060                <input type="hidden" name="type" value="<%=tunnelType%>" />
  • apps/i2ptunnel/jsp/index.jsp

    re9c8748 raf575d6  
    77
    88    response.setHeader("X-Frame-Options", "SAMEORIGIN");
     9    response.setHeader("Content-Security-Policy", "default-src 'self'");
     10    response.setHeader("X-XSS-Protection", "1; mode=block");
    911
    1012%><%@page pageEncoding="UTF-8"
  • apps/i2ptunnel/jsp/wizard.jsp

    re9c8748 raf575d6  
    77
    88    response.setHeader("X-Frame-Options", "SAMEORIGIN");
     9    response.setHeader("Content-Security-Policy", "default-src 'self'");
     10    response.setHeader("X-XSS-Protection", "1; mode=block");
    911
    1012%><%@page pageEncoding="UTF-8"
     
    4042   boolean tunnelIsClient = Boolean.valueOf(request.getParameter("isClient"));
    4143   String tunnelType = request.getParameter("type");
     44   tunnelType = net.i2p.data.DataHelper.stripHTML(tunnelType);
    4245   /* Special case - don't display page 4 for server tunnels */
    4346   if (curPage == 4 && !tunnelIsClient) {
     
    225228                    <%=intl._("Name")%>:(<span class="accessKey">N</span>)
    226229                </label>
    227                 <input type="text" size="30" maxlength="50" name="name" id="name" title="Tunnel Name" value="<%=(!"null".equals(request.getParameter("name")) ? request.getParameter("name") : "" ) %>" class="freetext" />
     230                <input type="text" size="30" maxlength="50" name="name" id="name" title="Tunnel Name" value="<%=(!"null".equals(request.getParameter("name")) ? net.i2p.data.DataHelper.stripHTML(request.getParameter("name")) : "" ) %>" class="freetext" />
    228231            </div>
    229232            <div id="descriptionField" class="rowItem">
     
    231234                    <%=intl._("Description")%>:(<span class="accessKey">E</span>)
    232235                </label>
    233                 <input type="text" size="60" maxlength="80" name="description"  id="description" title="Tunnel Description" value="<%=(!"null".equals(request.getParameter("description")) ? request.getParameter("description") : "" ) %>" class="freetext" />
     236                <input type="text" size="60" maxlength="80" name="description"  id="description" title="Tunnel Description" value="<%=(!"null".equals(request.getParameter("description")) ? net.i2p.data.DataHelper.stripHTML(request.getParameter("description")) : "" ) %>" class="freetext" />
    234237            </div><%
    235238            } else {
    236             %><input type="hidden" name="name" value="<%=request.getParameter("name")%>" />
    237             <input type="hidden" name="description" value="<%=request.getParameter("description")%>" /><%
     239            %><input type="hidden" name="name" value="<%=net.i2p.data.DataHelper.stripHTML(request.getParameter("name"))%>" />
     240            <input type="hidden" name="description" value="<%=net.i2p.data.DataHelper.stripHTML(request.getParameter("description"))%>" /><%
    238241            } /* curPage 3 */
    239242
     
    253256                    <%=intl._("Outproxies")%>(<span class="accessKey">x</span>):
    254257                </label>
    255                 <input type="text" size="30" id="proxyList" name="proxyList" title="List of Outproxy I2P destinations" value="<%=(!"null".equals(request.getParameter("proxyList")) ? request.getParameter("proxyList") : "" ) %>" class="freetext" />
     258                <input type="text" size="30" id="proxyList" name="proxyList" title="List of Outproxy I2P destinations" value="<%=(!"null".equals(request.getParameter("proxyList")) ? net.i2p.data.DataHelper.stripHTML(request.getParameter("proxyList")) : "" ) %>" class="freetext" />
    256259            </div><%
    257260                } else {
    258             %><input type="hidden" name="proxyList" value="<%=request.getParameter("proxyList")%>" /><%
     261            %><input type="hidden" name="proxyList" value="<%=net.i2p.data.DataHelper.stripHTML(request.getParameter("proxyList"))%>" /><%
    259262                } /* curPage 4 */
    260263              } else if ("client".equals(tunnelType) || "ircclient".equals(tunnelType) || "streamrclient".equals(tunnelType)) {
     
    268271                    <%=intl._("Tunnel Destination")%>(<span class="accessKey">T</span>):
    269272                </label>
    270                 <input type="text" size="30" id="targetDestination" name="targetDestination" title="Destination of the Tunnel" value="<%=(!"null".equals(request.getParameter("targetDestination")) ? request.getParameter("targetDestination") : "" ) %>" class="freetext" />
     273                <input type="text" size="30" id="targetDestination" name="targetDestination" title="Destination of the Tunnel" value="<%=(!"null".equals(request.getParameter("targetDestination")) ? net.i2p.data.DataHelper.stripHTML(request.getParameter("targetDestination")) : "" ) %>" class="freetext" />
    271274                <span class="comment">(<%=intl._("name, name:port, or destination")%>
    272275                     <% if ("streamrclient".equals(tunnelType)) { /* deferred resolution unimplemented in streamr client */ %>
     
    276279            </div><%
    277280                } else {
    278             %><input type="hidden" name="targetDestination" value="<%=request.getParameter("targetDestination")%>" /><%
     281            %><input type="hidden" name="targetDestination" value="<%=net.i2p.data.DataHelper.stripHTML(request.getParameter("targetDestination"))%>" /><%
    279282                } /* curPage 4 */
    280283              }
     
    295298                    <%=intl._("Host")%>(<span class="accessKey">H</span>):
    296299                </label>
    297                 <input type="text" size="20" id="targetHost" name="targetHost" title="Target Hostname or IP" value="<%=(!"null".equals(request.getParameter("targetHost")) ? request.getParameter("targetHost") : "127.0.0.1" ) %>" class="freetext" />
     300                <input type="text" size="20" id="targetHost" name="targetHost" title="Target Hostname or IP" value="<%=(!"null".equals(request.getParameter("targetHost")) ? net.i2p.data.DataHelper.stripHTML(request.getParameter("targetHost")) : "127.0.0.1" ) %>" class="freetext" />
    298301            </div><%
    299302              } else {
    300             %><input type="hidden" name="targetHost" value="<%=request.getParameter("targetHost")%>" /><%
     303            %><input type="hidden" name="targetHost" value="<%=net.i2p.data.DataHelper.stripHTML(request.getParameter("targetHost"))%>" /><%
    301304              } /* curPage 5 */
    302305            } /* streamrclient or !streamrserver */ %>
     
    311314                    <%=intl._("Port")%>(<span class="accessKey">P</span>):
    312315                </label>
    313                 <input type="text" size="6" maxlength="5" id="targetPort" name="targetPort" title="Target Port Number" value="<%=(!"null".equals(request.getParameter("targetPort")) ? request.getParameter("targetPort") : "" ) %>" class="freetext" />
     316                <input type="text" size="6" maxlength="5" id="targetPort" name="targetPort" title="Target Port Number" value="<%=(!"null".equals(request.getParameter("targetPort")) ? net.i2p.data.DataHelper.stripHTML(request.getParameter("targetPort")) : "" ) %>" class="freetext" />
    314317            </div><%
    315318              } else {
    316             %><input type="hidden" name="targetPort" value="<%=request.getParameter("targetPort")%>" /><%
     319            %><input type="hidden" name="targetPort" value="<%=net.i2p.data.DataHelper.stripHTML(request.getParameter("targetPort"))%>" /><%
    317320              } /* curPage 5 */
    318321            } /* !tunnelIsClient */ %>
     
    328331                    <span class="accessKey">P</span>ort:
    329332                </label>
    330                 <input type="text" size="6" maxlength="5" id="port" name="port" title="Access Port Number" value="<%=(!"null".equals(request.getParameter("port")) ? request.getParameter("port") : "" ) %>" class="freetext" />
     333                <input type="text" size="6" maxlength="5" id="port" name="port" title="Access Port Number" value="<%=(!"null".equals(request.getParameter("port")) ? net.i2p.data.DataHelper.stripHTML(request.getParameter("port")) : "" ) %>" class="freetext" />
    331334            </div><%
    332335              } else {
    333             %><input type="hidden" name="port" value="<%=request.getParameter("port")%>" /><%
     336            %><input type="hidden" name="port" value="<%=net.i2p.data.DataHelper.stripHTML(request.getParameter("port"))%>" /><%
    334337              } /* curPage 5 */
    335338            } /* tunnelIsClient or httpbidirserver */ %>
     
    367370            </div><%
    368371              } else {
    369             %><input type="hidden" name="reachableBy" value="<%=request.getParameter("reachableBy")%>" /><%
     372            %><input type="hidden" name="reachableBy" value="<%=net.i2p.data.DataHelper.stripHTML(request.getParameter("reachableBy"))%>" /><%
    370373              } /* curPage 5 */
    371374            } /* (tunnelIsClient && !streamrclient) ||  httpbidirserver || streamrserver */
     
    389392            } else {
    390393              if ("1".equals(request.getParameter("startOnLoad"))) {
    391             %><input type="hidden" name="startOnLoad" value="<%=request.getParameter("startOnLoad")%>" /><%
     394            %><input type="hidden" name="startOnLoad" value="<%=net.i2p.data.DataHelper.stripHTML(request.getParameter("startOnLoad"))%>" /><%
    392395              }
    393396            } /* curPage 6 */
     
    437440                </td></tr>
    438441                <tr><td><%=intl._("Tunnel name and description")%></td><td>
    439                     <%=request.getParameter("name")%><br />
    440                     <%=request.getParameter("description")%>
     442                    <%=net.i2p.data.DataHelper.stripHTML(request.getParameter("name"))%><br />
     443                    <%=net.i2p.data.DataHelper.stripHTML(request.getParameter("description"))%>
    441444                </td></tr><%
    442445                if (tunnelIsClient) { %>
    443446                <tr><td><%=intl._("Tunnel destination")%></td><td><%
    444447                  if ("httpclient".equals(tunnelType) || "connectclient".equals(tunnelType) || "sockstunnel".equals(tunnelType) || "socksirctunnel".equals(tunnelType)) { %>
    445                     <%=request.getParameter("proxyList")%><%
     448                    <%=net.i2p.data.DataHelper.stripHTML(request.getParameter("proxyList"))%><%
    446449                  } else if ("client".equals(tunnelType) || "ircclient".equals(tunnelType) || "streamrclient".equals(tunnelType)) { %>
    447                     <%=request.getParameter("targetDestination")%><%
     450                    <%=net.i2p.data.DataHelper.stripHTML(request.getParameter("targetDestination"))%><%
    448451                  } %>
    449452                </td></tr><%
     
    451454                <tr><td><%=intl._("Binding address and port")%></td><td><%
    452455                if ((tunnelIsClient && "streamrclient".equals(tunnelType)) || (!tunnelIsClient && !"streamrserver".equals(tunnelType))) { %>
    453                     <%=request.getParameter("targetHost")%><br /><%
     456                    <%=net.i2p.data.DataHelper.stripHTML(request.getParameter("targetHost"))%><br /><%
    454457                }
    455458                if (!tunnelIsClient) { %>
    456                     <%=request.getParameter("targetPort")%><br /><%
     459                    <%=net.i2p.data.DataHelper.stripHTML(request.getParameter("targetPort"))%><br /><%
    457460                }
    458461                if (tunnelIsClient || "httpbidirserver".equals(tunnelType)) { %>
    459                     <br /><%=request.getParameter("port")%><%
     462                    <br /><%=net.i2p.data.DataHelper.stripHTML(request.getParameter("port"))%><%
    460463                }
    461464                if ((tunnelIsClient && !"streamrclient".equals(tunnelType)) || "httpbidirserver".equals(tunnelType) || "streamrserver".equals(tunnelType)) { %>
    462                     <br /><%=request.getParameter("reachableBy")%><%
     465                    <br /><%=net.i2p.data.DataHelper.stripHTML(request.getParameter("reachableBy"))%><%
    463466                } %>
    464467                </td></tr>
  • apps/routerconsole/java/src/net/i2p/router/web/CSSHelper.java

    re9c8748 raf575d6  
    5858    public void setLang(String lang) {
    5959        // Protected with nonce in css.jsi
    60         if (lang != null && lang.length() > 0) {
     60        if (lang != null && lang.length() > 0 && lang.length() <= 6) {
    6161            Map m = new HashMap(2);
    6262            int under = lang.indexOf('_');
     
    106106            if (Integer.parseInt(r) < MIN_REFRESH)
    107107                r = "" + MIN_REFRESH;
     108            _context.router().saveConfig(PROP_REFRESH, r);
    108109        } catch (Exception e) {
    109110        }
    110         _context.router().saveConfig(PROP_REFRESH, r);
    111111    }
    112112
     
    118118                r = "" + MIN_REFRESH;
    119119        } catch (Exception e) {
     120            r = "" + MIN_REFRESH;
    120121        }
    121122        return r;
  • apps/routerconsole/java/src/net/i2p/router/web/ConfigAdvancedHandler.java

    re9c8748 raf575d6  
    2222    protected void processForm() {
    2323        if (_shouldSave) {
    24             saveChanges();
     24            //saveChanges();
     25            addFormError("Save disabled, edit the router.config file to make changes") ;
    2526        } else {
    2627            // noop
  • apps/routerconsole/java/src/net/i2p/router/web/ConfigClientsHandler.java

    re9c8748 raf575d6  
    5555        }
    5656        if (_action.equals(_("Install Plugin"))) {
    57             installPlugin();
     57            //installPlugin();
     58            addFormError("Plugin installation disabled");
    5859            return;
    5960        }
  • apps/routerconsole/java/src/net/i2p/router/web/ConfigUpdateHandler.java

    re9c8748 raf575d6  
    174174            String oldURL = ConfigUpdateHelper.getNewsURL(_context);
    175175            if ( (oldURL == null) || (!_newsURL.equals(oldURL)) ) {
    176                 changes.put(PROP_NEWS_URL, _newsURL);
     176                //changes.put(PROP_NEWS_URL, _newsURL);
    177177                // this invalidates the news
    178                 changes.put(NewsHelper.PROP_LAST_CHECKED, "0");
    179                 addFormNotice(_("Updating news URL to {0}", _newsURL));
     178                //changes.put(NewsHelper.PROP_LAST_CHECKED, "0");
     179                //addFormNotice(_("Updating news URL to {0}", _newsURL));
     180                addFormError("Changing news URL disabled");
    180181            }
    181182        }
     
    241242            String oldURL = _context.router().getConfigSetting(PROP_ZIP_URL);
    242243            if ( (oldURL == null) || (!_zipURL.equals(oldURL)) ) {
    243                 changes.put(PROP_ZIP_URL, _zipURL);
    244                 addFormNotice(_("Updating unsigned update URL to {0}", _zipURL));
     244                //changes.put(PROP_ZIP_URL, _zipURL);
     245                //addFormNotice(_("Updating unsigned update URL to {0}", _zipURL));
     246                addFormError("Changing unsigned update URL disabled");
    245247            }
    246248        }
  • apps/routerconsole/java/src/net/i2p/router/web/FormHandler.java

    re9c8748 raf575d6  
    66import java.util.Map;
    77
     8import net.i2p.data.DataHelper;
    89import net.i2p.router.RouterContext;
    910import net.i2p.util.Log;
     
    5152    }
    5253
    53     public void setNonce(String val) { _nonce = val; }
    54     public void setAction(String val) { _action = val; }
     54    public void setNonce(String val) { _nonce = DataHelper.stripHTML(val); }
     55    public void setAction(String val) { _action = DataHelper.stripHTML(val); }
    5556
    5657    /**
  • apps/routerconsole/java/src/net/i2p/router/web/SummaryHelper.java

    re9c8748 raf575d6  
    819819
    820820    private String _action;
    821     public void setAction(String s) { _action = s; }
     821    public void setAction(String s) { _action = DataHelper.stripHTML(s); }
    822822    public String getAction() { return _action; }
    823823
    824824    private String _consoleNonce;
    825     public void setConsoleNonce(String s) { _consoleNonce = s; }
     825    public void setConsoleNonce(String s) { _consoleNonce = DataHelper.stripHTML(s); }
    826826    public String getConsoleNonce() { return _consoleNonce; }
    827827
    828828    private String _updateNonce;
    829     public void setUpdateNonce(String s) { _updateNonce = s; }
     829    public void setUpdateNonce(String s) { _updateNonce = DataHelper.stripHTML(s); }
    830830    public String getUpdateNonce() { return _updateNonce; }
    831831
    832832    private String _requestURI;
    833     public void setRequestURI(String s) { _requestURI = s; }
     833    public void setRequestURI(String s) { _requestURI = DataHelper.stripHTML(s); }
    834834
    835835    /**
  • apps/routerconsole/jsp/configadvanced.jsp

    re9c8748 raf575d6  
    2525 <div class="configure">
    2626 <div class="wideload">
     27<!--
    2728 <form action="" method="POST">
    2829 <input type="hidden" name="nonce" value="<%=pageNonce%>" >
    2930 <input type="hidden" name="action" value="blah" >
     31-->
    3032 <h3><%=intl._("Advanced I2P Configuration")%></h3>
    31  <textarea rows="32" cols="60" name="config" wrap="off" spellcheck="false"><jsp:getProperty name="advancedhelper" property="settings" /></textarea><br><hr>
     33 <textarea rows="32" cols="60" name="config" wrap="off" spellcheck="false" readonly="readonly"><jsp:getProperty name="advancedhelper" property="settings" /></textarea><br><hr>
     34<!--
    3235      <div class="formaction">
    3336        <input type="reset" class="cancel" value="<%=intl._("Cancel")%>" >
    3437        <input type="submit" name="shouldsave" class="accept" value="<%=intl._("Save changes")%>" >
    3538 <br><b><%=intl._("NOTE")%>:</b> <%=intl._("Some changes may require a restart to take effect.")%>
    36  </div></form></div></div></div></body></html>
     39 </div></form>
     40-->
     41To make changes, edit the router.config file.
     42</div></div></div></body></html>
  • apps/routerconsole/jsp/configclients.jsp

    re9c8748 raf575d6  
    118118</div></form></div>
    119119
     120<!--
    120121<h3><a name="plugin"></a><%=intl._("Plugin Installation")%></h3><p>
    121122 <%=intl._("Look for available plugins on {0}.", "<a href=\"http://plugins.i2p\">plugins.i2p</a>")%>
     
    133134 <input type="submit" name="action" class="reload" value="<%=intl._("Update All Installed Plugins")%>" />
    134135 </div></form></div>
     136-->
    135137<% } %>
    136138</div></div></body></html>
  • apps/routerconsole/jsp/configupdate.jsp

    re9c8748 raf575d6  
    4242        <tr><td colspan="2"><br></td></tr>
    4343        <tr><td class="mediumtags" align="right"><b><%=intl._("News URL")%>:</b></td>
    44           <td><input type="text" size="60" name="newsURL" value="<jsp:getProperty name="updatehelper" property="newsURL" />"></td>
     44          <td><input type="text" size="60" name="newsURL" readonly="readonly" value="<jsp:getProperty name="updatehelper" property="newsURL" />"></td>
    4545        </tr><tr><td class="mediumtags" align="right"><b><%=intl._("Refresh frequency")%>:</b>
    4646          <td><jsp:getProperty name="updatehelper" property="refreshFrequencySelectBox" /></td></tr>
     
    6666          <td><textarea cols="60" rows="6" name="trustedKeys" wrap="off" spellcheck="false"><jsp:getProperty name="updatehelper" property="trustedKeys" /></textarea></td></tr>
    6767      <% }   // if isAdvanced %>
     68<!--
    6869        <tr><td id="unsignedbuild" class="mediumtags" align="right"><b><%=intl._("Update with unsigned development builds?")%></b></td>
    6970          <td><jsp:getProperty name="updatehelper" property="updateUnsigned" /></td>
    7071        </tr><tr><td class="mediumtags" align="right"><b><%=intl._("Unsigned Build URL")%>:</b></td>
    7172          <td><input type="text" size="60" name="zipURL" value="<jsp:getProperty name="updatehelper" property="zipURL" />"></td></tr>
     73-->
    7274    <% } else { %>
    7375        <tr><td class="mediumtags" align="center" colspan="2"><b><%=intl._("Updates will be dispatched via your package manager.")%></b></td></tr>
  • apps/routerconsole/jsp/css.jsi

    re9c8748 raf575d6  
    3131<%
    3232   // clickjacking
    33    if (intl.shouldSendXFrame())
     33   if (intl.shouldSendXFrame()) {
    3434      response.setHeader("X-Frame-Options", "SAMEORIGIN");
     35      response.setHeader("Content-Security-Policy", "default-src 'self'");
     36      response.setHeader("X-XSS-Protection", "1; mode=block");
     37   }
    3538
    3639   String conNonceParam = request.getParameter("consoleNonce");
  • apps/routerconsole/jsp/summaryframe.jsp

    re9c8748 raf575d6  
    2323    if (!shutdownSoon) {
    2424        if (d == null || "".equals(d)) {
    25             d = intl.getRefresh();
     25            // set below
    2626        } else {
    2727            d = net.i2p.data.DataHelper.stripHTML(d);  // XSS
     
    2929            intl.setDisableRefresh(d);
    3030        }
     31        d = intl.getRefresh();
    3132        // we probably don't get here if d == "0" since caught in summary.jsi, but just
    3233        // to be sure...
     
    4748            try { delay = Long.parseLong(d); } catch (NumberFormatException nfe) {}
    4849            if (delay*1000 < timeleft + 5000)
    49                 out.print("<meta http-equiv=\"refresh\" content=\"" + d + ";url=/summaryframe.jsp\" >\n");
     50                out.print("<meta http-equiv=\"refresh\" content=\"" + delay + ";url=/summaryframe.jsp\" >\n");
    5051            else
    5152                shutdownSoon = true;
  • apps/routerconsole/jsp/viewstat.jsp

    re9c8748 raf575d6  
    8585 */
    8686if (!rendered) {
    87     if (stat != null)
     87    if (stat != null) {
     88        stat = net.i2p.data.DataHelper.stripHTML(stat);
    8889        response.sendError(403, "The stat " + stat + " is not available, it must be enabled for graphing on the stats configuration page.");
    89     else
     90    } else {
    9091        response.sendError(403, "No stat specified");
     92    }
    9193}
    9294%>
  • apps/susidns/src/java/src/i2p/susi/dns/BaseBean.java

    re9c8748 raf575d6  
    143143     */
    144144    public void setAction(String action) {
    145         this.action = action;
     145        this.action = DataHelper.stripHTML(action);
    146146    }
    147147
     
    159159     */
    160160    public void setSerial(String serial) {
    161         this.serial = serial;
     161        this.serial = DataHelper.stripHTML(serial);
    162162    }
    163163
  • apps/susidns/src/java/src/i2p/susi/dns/NamingServiceBean.java

    re9c8748 raf575d6  
    3131import net.i2p.client.naming.NamingService;
    3232import net.i2p.data.DataFormatException;
     33import net.i2p.data.DataHelper;
    3334import net.i2p.data.Destination;
    3435
     
    323324
    324325        public void setH(String h) {
    325                 this.detail = h;
     326                this.detail = DataHelper.stripHTML(h);
    326327        }
    327328
  • apps/susidns/src/java/src/i2p/susi/dns/SubscriptionsBean.java

    re9c8748 raf575d6  
    161161        public void setContent(String content) {
    162162                // will come from form with \r\n line endings
    163                 this.content = content;
     163                this.content = DataHelper.stripHTML(content);
    164164        }
    165165
  • apps/susidns/src/jsp/addressbook.jsp

    re9c8748 raf575d6  
    2929
    3030    response.setHeader("X-Frame-Options", "SAMEORIGIN");
     31    response.setHeader("Content-Security-Policy", "default-src 'self'");
     32    response.setHeader("X-XSS-Protection", "1; mode=block");
    3133
    3234%>
  • apps/susidns/src/jsp/config.jsp

    re9c8748 raf575d6  
    2929
    3030    response.setHeader("X-Frame-Options", "SAMEORIGIN");
     31    response.setHeader("Content-Security-Policy", "default-src 'self'");
     32    response.setHeader("X-XSS-Protection", "1; mode=block");
    3133
    3234%>
  • apps/susidns/src/jsp/details.jsp

    re9c8748 raf575d6  
    2626
    2727    response.setHeader("X-Frame-Options", "SAMEORIGIN");
     28    response.setHeader("Content-Security-Policy", "default-src 'self'");
     29    response.setHeader("X-XSS-Protection", "1; mode=block");
    2830
    2931%>
     
    7476        %><p>No host specified</p><%
    7577    } else {
     78        detail = net.i2p.data.DataHelper.stripHTML(detail);
    7679        i2p.susi.dns.AddressBean addr = book.getLookup();
    7780        if (addr == null) {
  • apps/susidns/src/jsp/index.jsp

    re9c8748 raf575d6  
    2929
    3030    response.setHeader("X-Frame-Options", "SAMEORIGIN");
     31    response.setHeader("Content-Security-Policy", "default-src 'self'");
     32    response.setHeader("X-XSS-Protection", "1; mode=block");
    3133
    3234%>
  • apps/susidns/src/jsp/subscriptions.jsp

    re9c8748 raf575d6  
    2929
    3030    response.setHeader("X-Frame-Options", "SAMEORIGIN");
     31    response.setHeader("Content-Security-Policy", "default-src 'self'");
     32    response.setHeader("X-XSS-Protection", "1; mode=block");
    3133
    3234%>
  • apps/susimail/src/src/i2p/susi/webmail/WebMail.java

    re9c8748 raf575d6  
    15631563                response.setCharacterEncoding("UTF-8");
    15641564                response.setHeader("X-Frame-Options", "SAMEORIGIN");
     1565                response.setHeader("Content-Security-Policy", "default-src 'self'");
     1566                response.setHeader("X-XSS-Protection", "1; mode=block");
    15651567                RequestWrapper request = new RequestWrapper( httpRequest );
    15661568               
  • core/java/src/net/i2p/client/naming/ExecNamingService.java

    re9c8748 raf575d6  
    5858    public ExecNamingService(I2PAppContext context) {
    5959        super(context);
     60        // disable for now
     61        throw new UnsupportedOperationException();
    6062    }
    6163   
  • core/java/src/net/i2p/data/DataHelper.java

    re9c8748 raf575d6  
    479479                if (name.contains("#") ||
    480480                    name.contains("=") ||
     481                    name.contains("\r") ||
    481482                    name.contains("\n") ||
    482483                    name.startsWith(";") ||
    483484                    val.contains("#") ||
     485                    val.contains("\r") ||
    484486                    val.contains("\n")) {
    485487                    if (iae == null)
    486                         iae = new IllegalArgumentException("Invalid character (one of \"#;=\\n\") in key or value: \"" +
     488                        iae = new IllegalArgumentException("Invalid character (one of \"#;=\\r\\n\") in key or value: \"" +
    487489                                                           name + "\" = \"" + val + '\"');
    488490                    continue;
     
    16231625        String t1 = orig.replace('<', ' ');
    16241626        String rv = t1.replace('>', ' ');
     1627        rv = rv.replace("\"", "%22");
    16251628        return rv;
    16261629    }
  • history.txt

    re9c8748 raf575d6  
     12014-07-26 zzz
     2 * Console:
     3   - Fix several XSS issues (thx Aaron Portnoy of Exodus Intel)
     4   - Add Content-Security-Policy and X-XSS-Protection headers
     5   - Disable changing news feed URL from UI
     6   - Disable plugin install from UI
     7   - Disable setting unsigned update URL from UI
     8   - Disable /configadvanced
     9 * DataHelper: Disallow \r in storeProps() (thx joernchen of Phenoelit)
     10 * ExecNamingService: Disable (thx joernchen of Phenoelit)
     11 * Startup: Add susimail.config to migrated files
     12
    1132014-07-23 kytv
    214 * Updates to geoip.txt and geoipv6.dat.gz based on Maxmind GeoLite Country
  • router/java/src/net/i2p/router/RouterVersion.java

    re9c8748 raf575d6  
    1919    public final static String ID = "Monotone";
    2020    public final static String VERSION = CoreVersion.VERSION;
    21     public final static long BUILD = 19;
     21    public final static long BUILD = 20;
    2222
    2323    /** for example "-test" */
    24     public final static String EXTRA = "";
     24    public final static String EXTRA = "-rc";
    2525    public final static String FULL_VERSION = VERSION + "-" + BUILD + EXTRA;
    2626    public static void main(String args[]) {
  • router/java/src/net/i2p/router/startup/WorkingDir.java

    re9c8748 raf575d6  
    273273        "addressbook,eepsite," +
    274274        // base install - files
    275         // We don't currently have a default router.config, logger.config, or webapps.config in the base distribution,
     275        // We don't currently have a default router.config, logger.config, susimail.config, or webapps.config in the base distribution,
    276276        // but distros might put one in
    277277        "blocklist.txt,hosts.txt,i2psnark.config,i2ptunnel.config,jetty-i2psnark.xml," +
    278         "logger.config,router.config,systray.config,webapps.config";
     278        "logger.config,router.config,susimail.config,systray.config,webapps.config";
    279279
    280280    private static boolean migrate(String list, File olddir, File todir) {
Note: See TracChangeset for help on using the changeset viewer.