Opened 7 years ago

Closed 7 years ago

#1339 closed defect (fixed)

Strict filtering breaks torrent metainfo retrieval

Reported by: killyourtv Owned by: zzz
Priority: major Milestone:
Component: apps/i2psnark Version: 0.9.14
Keywords: xss filter Cc:
Parent Tickets: Sensitive: no


Adding a torrent with a torrent file or magnet link fails

An example link: magnet:?xt=urn:btih:487188c47bd6043ed9b9881e5cd5495bf15c3685&dn=i2pupdate-0.9.14.su3&tr=http://tracker2.postman.i2p/announce.php

This yields

WARN [onsole Jetty] vlet.filters.XSSRequestWrapper: URL "/_post" Stripped param "newURL" : "magnet:?xt=urn:btih:487188c47bd6043ed9b9881e5cd5495bf15c3685&dn=i2pupdate-0.9.14.su3&tr=http://tracker2.postman.i2p/announce.php"

Without "special" chars (e.g. http://update.killyourtv.i2p/mtn/torrents/i2p-router-0.9.14-0.torrent), it works fine.


Change History (5)

comment:1 Changed 7 years ago by zzz

Workaround for torrent file links:

Right click - save as, and move file to i2psnark directory. It will be added to the UI within 60 seconds.

Workaround for magnet links:

paste in only the 40-character info hash, i.e. the part between "btih:" and "&dn"

Looks like the problematic character is '&'

comment:2 Changed 7 years ago by rfree

I confirm this bug on upgraded install as well on clear installation of i2p.

comment:3 Changed 7 years ago by zzz

Status: newtesting

Fixed in 0.9.14-2-rc, to be released in, please test

comment:4 Changed 7 years ago by killyourtv

I'm on -3-rc, loooking good.

comment:5 Changed 7 years ago by zzz

Resolution: fixed
Status: testingclosed
Note: See TracTickets for help on using tickets.