I2P-Bote: local DoS with certain passwords, #2

[ihave2p]

This borderlines major/critical. Marking as critical since Bote is now 50% useless without a restored backup. To my joy, this was *not* on my dev machine >:-|

Summary:
After attempting to change a working password to a blank password (nothing entered in the "New password" and "Confirm:" fields) and subsequently clearing the password cache of the *working* password, any further attempts to access Bote /folder.jsp?path=Trash or /folder.jsp?path=Trash ("Sent" or "Trash") messages results in local DoS (500 page). Unless a full ~/i2pbote restore is made, Bote "Sent" and "Trash" messages appear to be completely inaccessible.

To reproduce:
1) Go directly to settings and try to change to blank password
2) Clear password cache (key icon on top right)
3) Click on "Sent" or "Trash" and authenticate with old *working* password
4) Also click on "Inbox" and "Outbox" for comparison

Notes:
"Invalid header bytes: [0, 0, 0, 0], expected: [73, 66, 101, 102]" is returned after attempting to change the password from a working one to a blank one. The new blank password is never accepted and any attempts to enter a blank password (when authenticating) will return "Wrong password. Try again."

Restarting the router has no effect. Reinstalling the plugin has no effect. AFAIK, only a full ~/i2pbote restore of a working backup will restore complete functionality.

[killyourtv]

Could this also be XSSfilter related? I don't know which characters are whitelisted but I suspect or an empty string is not one of them.

(Just thinking aloud)

[str4d]

Migrated to ​https://github.com/i2p/i2p.i2p-bote/issues - I will close these tickets as things are resolved rather than right now, but please make future comments on GitHub?.