zzz/i2p.i2p
1
0
Fork 0
forked from I2P_Developers/i2p.i2p
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity

Add filtering for getParameterMap()

Browse Source 
Don't return null entries in getParameterValues() array
Log in getParameterValues() too
static
This commit is contained in:
zzz
2014-07-26 15:09:40 +00:00
parent ca5755b0fd
commit 6753d23309
2 changed files with 35 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

37
apps/jetty/java/src/net/i2p/servlet/filters/XSSRequestWrapper.java
View File

@@ -1,5 +1,9 @@
package net.i2p.servlet.filters; package net.i2p.servlet.filters;
import java.util.Collections;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.Map;
import java.util.regex.Pattern; import java.util.regex.Pattern;
import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequest;
@@ -32,10 +36,25 @@ public class XSSRequestWrapper extends HttpServletRequestWrapper {
int count = values.length; int count = values.length;
String[] encodedValues = new String[count]; String[] encodedValues = new String[count];
int good = 0;
for (int i = 0; i < count; i++) { for (int i = 0; i < count; i++) {
encodedValues[i] = stripXSS(values[i], parameterValuePattern); String value = values[i];
String v2 = stripXSS(value, parameterValuePattern);
if (v2 != null) {
encodedValues[good++] = v2;
} else if (value != null) {
Log log = I2PAppContext.getGlobalContext().logManager().getLog(XSSRequestWrapper.class);
log.logAlways(Log.WARN, "URL \"" + getServletPath() + "\" Stripped param \"" + parameter + "\" : \"" + value + '"');
}
}
if (good <= 0)
return null;
if (good < count) {
// shrink array
String[] rv = new String[good];
System.arraycopy(encodedValues, 0, rv, 0, good);
encodedValues = rv;
} }
return encodedValues; return encodedValues;
} }
@@ -50,6 +69,18 @@ public class XSSRequestWrapper extends HttpServletRequestWrapper {
return rv; return rv;
} }
@Override
public Map getParameterMap() {
Map rv = new HashMap();
for (Enumeration keys = getParameterNames(); keys.hasMoreElements(); ) {
String k = (String) keys.nextElement();
String[] v = getParameterValues(k);
if (v != null)
rv.put(k, v);
}
return Collections.unmodifiableMap(rv);
}
@Override @Override
public String getHeader(String name) { public String getHeader(String name) {
String value = super.getHeader(name); String value = super.getHeader(name);
@@ -61,7 +92,7 @@ public class XSSRequestWrapper extends HttpServletRequestWrapper {
return rv; return rv;
} }
private String stripXSS(String value, Pattern whitelistPattern) { private static String stripXSS(String value, Pattern whitelistPattern) {
if (value != null) { if (value != null) {
// NOTE: It's highly recommended to use the ESAPI library and uncomment the following line to // NOTE: It's highly recommended to use the ESAPI library and uncomment the following line to
// avoid encoded attacks. // avoid encoded attacks.

2
router/java/src/net/i2p/router/RouterVersion.java
View File

@@ -18,7 +18,7 @@ public class RouterVersion {
/** deprecated */ /** deprecated */
public final static String ID = "Monotone"; public final static String ID = "Monotone";
public final static String VERSION = CoreVersion.VERSION; public final static String VERSION = CoreVersion.VERSION;
public final static long BUILD = 23; public final static long BUILD = 24;
/** for example "-test" */ /** for example "-test" */
public final static String EXTRA = "-rc"; public final static String EXTRA = "-rc";