* Console:

- Fix update buttons - Don't filter parameter names starting with "nofilter_" - Re-allow configadvanced, news URL, and unsigned update URL if routerconsole.advanced=true - Re-allow plugin install if routerconsole.advanced=true or routerconsole.enablePluginInstall=true - Only allow whitelisted plugin signers, unless routerconsole.allowUntrustedPlugins=true - Re-allow clients.config changes if routerconsole.advanced=true or routerconsole.enableClientChange=true - More escaping * i2psnark: Fix add torrent form
2014-08-03 13:58:51 +00:00
parent bf9c4b2346
commit b28eb708a4
26 changed files with 289 additions and 131 deletions
--- a/apps/routerconsole/jsp/configadvanced.jsp
+++ b/apps/routerconsole/jsp/configadvanced.jsp
@@ -24,19 +24,20 @@
 <%@include file="formhandler.jsi" %>
 <div class="configure">
 <div class="wideload">
-<!--
+<% if (advancedhelper.isAdvanced()) { %>
 <form action="" method="POST">
 <input type="hidden" name="nonce" value="<%=pageNonce%>" >
 <input type="hidden" name="action" value="blah" >
-->
+<% }  // isAdvanced %>
 <h3><%=intl._("Advanced I2P Configuration")%></h3>
- <textarea rows="32" cols="60" name="config" wrap="off" spellcheck="false" readonly="readonly"><jsp:getProperty name="advancedhelper" property="settings" /></textarea><br><hr>
-<!--
+ <textarea rows="32" cols="60" name="nofilter_config" wrap="off" spellcheck="false" <% if (!advancedhelper.isAdvanced()) { %>readonly="readonly"<% } %>><jsp:getProperty name="advancedhelper" property="settings" /></textarea><br><hr>
+<% if (advancedhelper.isAdvanced()) { %>
      <div class="formaction">
        <input type="reset" class="cancel" value="<%=intl._("Cancel")%>" >
        <input type="submit" name="shouldsave" class="accept" value="<%=intl._("Save changes")%>" >
 <br><b><%=intl._("NOTE")%>:</b> <%=intl._("Some changes may require a restart to take effect.")%>
 </div></form>
-->
+<% } else { %>
 To make changes, edit the router.config file.
+<% }  // isAdvanced %>
 </div></div></div></body></html>
--- a/apps/routerconsole/jsp/configclients.jsp
+++ b/apps/routerconsole/jsp/configclients.jsp
@@ -39,7 +39,7 @@ input.default { width: 1px; height: 1px; visibility: hidden; }
 <%=intl._("All changes require restart to take effect.")%></i>
 </p><hr><div class="formaction">
 <input type="submit" class="cancel" name="foo" value="<%=intl._("Cancel")%>" />
-<% if (false && request.getParameter("edit") == null) { %>
+<% if (clientshelper.isClientChangeEnabled() && request.getParameter("edit") == null) { %>
 <input type="submit" name="edit" class="add" value="<%=intl._("Add Client")%>" />
 <% } %>
 <input type="submit" class="accept" name="action" value="<%=intl._("Save Client Configuration")%>" />
@@ -80,7 +80,7 @@ input.default { width: 1px; height: 1px; visibility: hidden; }
 <%=intl._("Username")%>:
 <input name="user" type="text" value="" /><br>
 <%=intl._("Password")%>:
-<input name="pw" type="password" value="" /><br>
+<input name="nofilter_pw" type="password" value="" /><br>
 </p><p><b><%=intl._("The default settings will work for most people.")%></b>
 <%=intl._("Any changes made here must also be configured in the external client.")%>
 <%=intl._("Many clients do not support SSL or authorization.")%>
@@ -117,7 +117,7 @@ input.default { width: 1px; height: 1px; visibility: hidden; }
 <input type="submit" name="action" class="accept" value="<%=intl._("Save Plugin Configuration")%>" />
 </div></form></div>

-<!--
+<% if (clientshelper.isPluginInstallEnabled()) { %>
 <h3><a name="plugin"></a><%=intl._("Plugin Installation")%></h3><p>
 <%=intl._("Look for available plugins on {0}.", "<a href=\"http://plugins.i2p\">plugins.i2p</a>")%>
 <%=intl._("To install a plugin, enter the download URL:")%>
@@ -133,6 +133,8 @@ input.default { width: 1px; height: 1px; visibility: hidden; }
 </div><hr><div class="formaction">
 <input type="submit" name="action" class="reload" value="<%=intl._("Update All Installed Plugins")%>" />
 </div></form></div>
-->
-<% } %>
+<%
+     } // pluginInstallEnabled
+ } // showPlugins
+%>
 </div></div></body></html>
--- a/apps/routerconsole/jsp/configreseed.jsp
+++ b/apps/routerconsole/jsp/configreseed.jsp
@@ -52,7 +52,7 @@
 <tr><td class="mediumtags" align="right"><b><%=intl._("HTTP Proxy Username")%>:</b></td>
 <td><input name="username" type="text" value="<jsp:getProperty name="reseedHelper" property="username" />" ></td></tr>
 <tr><td class="mediumtags" align="right"><b><%=intl._("HTTP Proxy Password")%>:</b></td>
-<td><input name="password" type="password" value="<jsp:getProperty name="reseedHelper" property="password" />" ></td></tr>
+<td><input name="nofilter_password" type="password" value="<jsp:getProperty name="reseedHelper" property="nofilter_password" />" ></td></tr>

 <!-- TODO Need SSLEepGet support
 <tr><td class="mediumtags" align="right"><b><%=intl._("Enable HTTPS Proxy?")%></b></td>
@@ -67,7 +67,7 @@
 <tr><td class="mediumtags" align="right"><b><%=intl._("HTTPS Proxy Username")%>:</b></td>
 <td><input name="susername" type="text" value="<jsp:getProperty name="reseedHelper" property="susername" />" ></td></tr>
 <tr><td class="mediumtags" align="right"><b><%=intl._("HTTPS Proxy Password")%>:</b></td>
-<td><input name="spassword" type="password" value="<jsp:getProperty name="reseedHelper" property="spassword" />" ></td></tr>
+<td><input name="nofilter_spassword" type="password" value="<jsp:getProperty name="reseedHelper" property="nofilter_spassword" />" ></td></tr>
 -->

 </table></div>
--- a/apps/routerconsole/jsp/configupdate.jsp
+++ b/apps/routerconsole/jsp/configupdate.jsp
@@ -41,7 +41,7 @@
            <% } %></td></tr>
        <tr><td colspan="2"><br></td></tr>
        <tr><td class="mediumtags" align="right"><b><%=intl._("News URL")%>:</b></td>
-          <td><input type="text" size="60" name="newsURL" readonly="readonly" value="<jsp:getProperty name="updatehelper" property="newsURL" />"></td>
+          <td><input type="text" size="60" name="newsURL" <% if (!updatehelper.isAdvanced()) { %>readonly="readonly"<% } %> value="<jsp:getProperty name="updatehelper" property="newsURL" />"></td>
        </tr><tr><td class="mediumtags" align="right"><b><%=intl._("Refresh frequency")%>:</b>
          <td><jsp:getProperty name="updatehelper" property="refreshFrequencySelectBox" /></td></tr>
    <% if (updatehelper.canInstall()) { %>
@@ -64,13 +64,11 @@
          <td><textarea cols="60" rows="6" name="updateURL" wrap="off" spellcheck="false"><jsp:getProperty name="updatehelper" property="updateURL" /></textarea></td>
        </tr><tr><td class="mediumtags" align="right"><b><%=intl._("Trusted keys")%>:</b></td>
          <td><textarea cols="60" rows="6" name="trustedKeys" wrap="off" spellcheck="false"><jsp:getProperty name="updatehelper" property="trustedKeys" /></textarea></td></tr>
-      <% }   // if isAdvanced %>
-<!--
        <tr><td id="unsignedbuild" class="mediumtags" align="right"><b><%=intl._("Update with unsigned development builds?")%></b></td>
          <td><jsp:getProperty name="updatehelper" property="updateUnsigned" /></td>
        </tr><tr><td class="mediumtags" align="right"><b><%=intl._("Unsigned Build URL")%>:</b></td>
          <td><input type="text" size="60" name="zipURL" value="<jsp:getProperty name="updatehelper" property="zipURL" />"></td></tr>
-->
+      <% }   // if isAdvanced %>
    <% } else { %>
        <tr><td class="mediumtags" align="center" colspan="2"><b><%=intl._("Updates will be dispatched via your package manager.")%></b></td></tr>
    <% }   // if canInstall %>
--- a/apps/routerconsole/jsp/flags.jsp
+++ b/apps/routerconsole/jsp/flags.jsp
@@ -12,7 +12,9 @@
 *  with headers set so the browser caches.
 */
 String c = request.getParameter("c");
-if (c != null && c.length() > 0) {
+if (c != null &&
+    (c.length() == 2 || c.length() == 7) &&
+    c.replaceAll("[a-z_]", "").length() == 0) {
    java.io.OutputStream cout = response.getOutputStream();
    String base = net.i2p.I2PAppContext.getGlobalContext().getBaseDir().getAbsolutePath();
    String file = "docs" + java.io.File.separatorChar + "icons" + java.io.File.separatorChar +
--- a/apps/routerconsole/jsp/viewprofile.jsp
+++ b/apps/routerconsole/jsp/viewprofile.jsp
@@ -14,10 +14,11 @@
 <div class="main" id="main"><div class="wideload">
 <%
    String peerB64 = request.getParameter("peer");
-    if (peerB64 == null || peerB64.length() <= 0) {
+    if (peerB64 == null || peerB64.length() <= 0 ||
+        peerB64.replaceAll("[a-zA-Z0-9~=-]", "").length() != 0) {
        out.print("No peer specified");
    } else {
-        peerB64 = net.i2p.data.DataHelper.stripHTML(peerB64);  // XSS
+
 %>
 <jsp:useBean id="stathelper" class="net.i2p.router.web.StatHelper" />
 <jsp:setProperty name="stathelper" property="contextId" value="<%=(String)session.getAttribute(\"i2p.contextId\")%>" />