Opened 8 years ago

Closed 8 years ago

Last modified 8 years ago

#588 closed defect (fixed)

Quotes/backquotes escaping in router console

Reported by: Z6 Owned by: str4d
Priority: major Milestone: 0.8.13
Component: apps/console Version: 0.8.12
Keywords: html, filtration, xss Cc:
Parent Tickets: Sensitive: no

Description

Yesterday I've found simple filtration bug in control panel.
But today I change my opinion about that.

How I found this bug:
1 - You need have default router installation (or just router with Jetty found).
2 - Serf to "Client Configuration" page:
http://127.0.0.1:7657/configclients
3 - Here you can see your "I2P webserver (eepsite)".
And you can see "Class and arguments" value:
org.mortbay.jetty.Server "/home/z6/.i2p/eepsite/jetty.xml"
4 - Next you need to hit "edit" button.
5 - And now you can see only that in input field:
org.mortbay.jetty.Server
6 - Its happend because I2P doesn't convert special charters to format.
HTML is broken here:

<input type="text" size="80" name="desc3" value="org.mortbay.jetty.Server "/home/z6/.i2p/eepsite/jetty.xml"" >

As you see I2P control panel doesn't escape quotes.


Situation the same in most of text input fields of I2P console (i2ptunnels/susidns).

PS:
I2P have a lot of plugins, so ignoring of HTML filtration its not just interface problem.
In some situations its can be security problem I think.
Its reason why I choose major priority for this bug.

Subtickets

Change History (3)

comment:1 Changed 8 years ago by str4d

Owner: set to str4d
Status: newaccepted

This is difficult to combat generically, as there is no general write-to-console function - the HTML is built on-the-fly in each individual method, so it is up to each individual method to escape/unescape relevant variables. So it's really a case of creating a ticket whenever you find an input that doesn't escape HTML properly/at all. Fix for this instance coming momentarily…

comment:2 Changed 8 years ago by str4d

Resolution: fixed
Status: acceptedclosed

Right, this is fixed for the client config page (and doesn't destroy clients.config either now _). Open a new ticket for other locations.

comment:3 Changed 8 years ago by Z6

Okay.
I report all other pages when i find time to check it.

Note: See TracTickets for help on using tickets.