* Console:

- Fix update buttons - Don't filter parameter names starting with "nofilter_" - Re-allow configadvanced, news URL, and unsigned update URL if routerconsole.advanced=true - Re-allow plugin install if routerconsole.advanced=true or routerconsole.enablePluginInstall=true - Only allow whitelisted plugin signers, unless routerconsole.allowUntrustedPlugins=true - Re-allow clients.config changes if routerconsole.advanced=true or routerconsole.enableClientChange=true - More escaping * i2psnark: Fix add torrent form
2014-08-03 13:58:51 +00:00
parent bf9c4b2346
commit b28eb708a4
26 changed files with 289 additions and 131 deletions
--- a/apps/jetty/java/src/net/i2p/servlet/filters/XSSRequestWrapper.java
+++ b/apps/jetty/java/src/net/i2p/servlet/filters/XSSRequestWrapper.java
@@ -21,14 +21,20 @@ public class XSSRequestWrapper extends HttpServletRequestWrapper {
    // Adapted from https://owasp-esapi-java.googlecode.com/svn/trunk/configuration/esapi/ESAPI.properties
    private static final Pattern parameterValuePattern = Pattern.compile("^[\\p{L}\\p{Nd}.,:\\-\\/+=~\\[\\]?@_ \r\n]*$");
    private static final Pattern headerValuePattern = Pattern.compile("^[a-zA-Z0-9()\\-=\\*\\.\\?;,+\\/:&_ ]*$");
+    private static final String NOFILTER = "nofilter_";

    public XSSRequestWrapper(HttpServletRequest servletRequest) {
        super(servletRequest);
    }

+    /**
+     *  Parameter names starting with "nofilter_" will not be filtered.
+     */
    @Override
    public String[] getParameterValues(String parameter) {
        String[] values = super.getParameterValues(parameter);
+        if (parameter.startsWith(NOFILTER))
+            return values;

        if (values == null) {
            return null;
@@ -58,9 +64,14 @@ public class XSSRequestWrapper extends HttpServletRequestWrapper {
        return encodedValues;
    }

+    /**
+     *  Parameter names starting with "nofilter_" will not be filtered.
+     */
    @Override
    public String getParameter(String parameter) {
        String value = super.getParameter(parameter);
+        if (parameter.startsWith(NOFILTER))
+            return value;
        String rv = stripXSS(value, parameterValuePattern);
        if (value != null && rv == null) {
            Log log = I2PAppContext.getGlobalContext().logManager().getLog(XSSRequestWrapper.class);
@@ -69,6 +80,9 @@ public class XSSRequestWrapper extends HttpServletRequestWrapper {
        return rv;
    }

+    /**
+     *  Parameter names starting with "nofilter_" will not be filtered.
+     */
    @Override
    public Map getParameterMap() {
        Map rv = new HashMap();