marek/i2p.i2p
1
0
Fork 0
forked from I2P_Developers/i2p.i2p
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity

* Console:

Browse Source 
- Fix several XSS issues (thx Aaron Portnoy of Exodus Intel)
  - Add Content-Security-Policy and X-XSS-Protection headers
  - Disable changing news feed URL from UI
  - Disable plugin install from UI
  - Disable setting unsigned update URL from UI
  - Disable /configadvanced
* DataHelper: Disallow \r in storeProps() (thx joernchen of Phenoelit)
* ExecNamingService: Disable (thx joernchen of Phenoelit)
* Startup: Add susimail.config to migrated files
This commit is contained in:
zzz
2014-07-26 09:32:26 +00:00
parent e9c8748c0b
commit af575d6c95
32 changed files with 124 additions and 61 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
apps/susidns/src/java/src/i2p/susi/dns/BaseBean.java
View File

@@ -142,7 +142,7 @@ public class BaseBean
* @since 0.9.13 moved from subclasses
*/
public void setAction(String action) {
this.action = action;
this.action = DataHelper.stripHTML(action);
}
/**
@@ -158,7 +158,7 @@ public class BaseBean
* @since 0.9.13 moved from subclasses
*/
public void setSerial(String serial) {
this.serial = serial;
this.serial = DataHelper.stripHTML(serial);
}
/**

3
apps/susidns/src/java/src/i2p/susi/dns/NamingServiceBean.java
View File

@@ -30,6 +30,7 @@ import java.util.Properties;
import net.i2p.client.naming.NamingService;
import net.i2p.data.DataFormatException;
import net.i2p.data.DataHelper;
import net.i2p.data.Destination;
/**
@@ -322,7 +323,7 @@ public class NamingServiceBean extends AddressbookBean
}
public void setH(String h) {
this.detail = h;
this.detail = DataHelper.stripHTML(h);
}
public AddressBean getLookup() {

2
apps/susidns/src/java/src/i2p/susi/dns/SubscriptionsBean.java
View File

@@ -160,7 +160,7 @@ public class SubscriptionsBean extends BaseBean
public void setContent(String content) {
// will come from form with \r\n line endings
this.content = content;
this.content = DataHelper.stripHTML(content);
}
public String getContent()

2
apps/susidns/src/jsp/addressbook.jsp
View File

@@ -28,6 +28,8 @@
request.setCharacterEncoding("UTF-8");
response.setHeader("X-Frame-Options", "SAMEORIGIN");
response.setHeader("Content-Security-Policy", "default-src 'self'");
response.setHeader("X-XSS-Protection", "1; mode=block");
%>
<%@page pageEncoding="UTF-8"%>

2
apps/susidns/src/jsp/config.jsp
View File

@@ -28,6 +28,8 @@
request.setCharacterEncoding("UTF-8");
response.setHeader("X-Frame-Options", "SAMEORIGIN");
response.setHeader("Content-Security-Policy", "default-src 'self'");
response.setHeader("X-XSS-Protection", "1; mode=block");
%>
<%@page pageEncoding="UTF-8"%>

3
apps/susidns/src/jsp/details.jsp
View File

@@ -25,6 +25,8 @@
request.setCharacterEncoding("UTF-8");
response.setHeader("X-Frame-Options", "SAMEORIGIN");
response.setHeader("Content-Security-Policy", "default-src 'self'");
response.setHeader("X-XSS-Protection", "1; mode=block");
%>
<%@page pageEncoding="UTF-8"%>
@@ -73,6 +75,7 @@
if (detail == null) {
%><p>No host specified</p><%
} else {
detail = net.i2p.data.DataHelper.stripHTML(detail);
i2p.susi.dns.AddressBean addr = book.getLookup();
if (addr == null) {
%><p>Not found: <%=detail%></p><%

2
apps/susidns/src/jsp/index.jsp
View File

@@ -28,6 +28,8 @@
request.setCharacterEncoding("UTF-8");
response.setHeader("X-Frame-Options", "SAMEORIGIN");
response.setHeader("Content-Security-Policy", "default-src 'self'");
response.setHeader("X-XSS-Protection", "1; mode=block");
%>
<%@page pageEncoding="UTF-8"%>

2
apps/susidns/src/jsp/subscriptions.jsp
View File

@@ -28,6 +28,8 @@
request.setCharacterEncoding("UTF-8");
response.setHeader("X-Frame-Options", "SAMEORIGIN");
response.setHeader("Content-Security-Policy", "default-src 'self'");
response.setHeader("X-XSS-Protection", "1; mode=block");
%>
<%@page pageEncoding="UTF-8"%>