From 0cbbe6297e2f2079fcb33b7b1da23b94c8f83f4f Mon Sep 17 00:00:00 2001 From: zzz Date: Wed, 18 Jan 2023 12:21:29 -0500 Subject: [PATCH] i2psnark: Rename search param to bypass the XSS filter Fix encode/decode search param Copy CSS to non-default themes, not tweaked yet Add support for shorter nf_ prefix to XSS filter Remove unneeded float_right, reported by drzed --- .../org/klomp/snark/web/I2PSnarkServlet.java | 34 +++++++++++-------- apps/i2psnark/resources/js/initajax.js | 4 +-- apps/i2psnark/resources/themes/dark/snark.css | 21 ++++++++++++ .../i2psnark/resources/themes/light/snark.css | 21 ++++++++++++ .../resources/themes/ubergine/snark.css | 1 - .../resources/themes/vanilla/snark.css | 21 ++++++++++++ .../servlet/filters/XSSRequestWrapper.java | 9 +++-- 7 files changed, 91 insertions(+), 20 deletions(-) diff --git a/apps/i2psnark/java/src/org/klomp/snark/web/I2PSnarkServlet.java b/apps/i2psnark/java/src/org/klomp/snark/web/I2PSnarkServlet.java index 2bc68376a..564399957 100644 --- a/apps/i2psnark/java/src/org/klomp/snark/web/I2PSnarkServlet.java +++ b/apps/i2psnark/java/src/org/klomp/snark/web/I2PSnarkServlet.java @@ -387,13 +387,12 @@ public class I2PSnarkServlet extends BasicServlet { out.write("\n"); if (!isConfigure) { - String search = req.getParameter("s"); + String search = req.getParameter("nf_s"); if (_manager.getTorrents().size() > 1 || (search != null && search.length() > 0)) { out.write("
" + - "" + "" + "
\n"); @@ -507,7 +506,7 @@ public class I2PSnarkServlet extends BasicServlet { // search boolean isSearch = false; - String search = req.getParameter("s"); + String search = req.getParameter("nf_s"); if (search != null && search.length() > 0) { List matches = search(search, snarks); if (matches != null) { @@ -851,12 +850,17 @@ public class I2PSnarkServlet extends BasicServlet { /** * search torrents for matching terms * - * @param search non-null - * @param snarks unmodified - * @return null if no valid search, or matching torrents in same order + * @param search non-null and %-encoded, will be decoded here + * @param snarks unmodified, order will be honored + * @return null if not a valid search, or matching torrents in same order, possibly empty * @since 0.9.58 */ private static List search(String search, Collection snarks) { + try { + search = decodePath(search); + } catch (IOException ioe) { + return null; + } List searchList = null; String[] terms = DataHelper.split(search, " "); for (int i = 0; i < terms.length; i++) { @@ -927,7 +931,7 @@ public class I2PSnarkServlet extends BasicServlet { .append(action).append("\" >\n"); } else { // for buttons, keep the search term - String sParam = req.getParameter("s"); + String sParam = req.getParameter("nf_s"); if (sParam != null) { buf.append("\n"); @@ -987,15 +991,15 @@ public class I2PSnarkServlet extends BasicServlet { buf.append(st); } if (s == null) { - s = req.getParameter("s"); + s = req.getParameter("nf_s"); if (s != null) s = DataHelper.escapeHTML(s); } if (s != null && !s.equals("")) { if (buf.length() <= 0) - buf.append("?s="); + buf.append("?nf_s="); else - buf.append("&s="); + buf.append("&nf_s="); buf.append(s); } return buf.toString(); @@ -1555,7 +1559,7 @@ public class I2PSnarkServlet extends BasicServlet { _manager.addMessage(_t("Error creating torrent - you must enter a file or directory")); } } else if ("StopAll".equals(action)) { - String search = req.getParameter("s"); + String search = req.getParameter("nf_s"); if (search != null && search.length() > 0) { List matches = search(search, _manager.getTorrents()); if (matches != null) { @@ -1567,7 +1571,7 @@ public class I2PSnarkServlet extends BasicServlet { } _manager.stopAllTorrents(false); } else if ("StartAll".equals(action)) { - String search = req.getParameter("s"); + String search = req.getParameter("nf_s"); if (search != null && search.length() > 0) { List matches = search(search, _manager.getTorrents()); if (matches != null) { diff --git a/apps/i2psnark/resources/js/initajax.js b/apps/i2psnark/resources/js/initajax.js index 87de15cd3..7697b0086 100644 --- a/apps/i2psnark/resources/js/initajax.js +++ b/apps/i2psnark/resources/js/initajax.js @@ -29,12 +29,12 @@ function requestAjax2(refreshtime) { query = ""; } var q = new URLSearchParams(query); - q.set("s", search); + q.set("nf_s", encodeURIComponent(search)); query = "?" + q.toString(); } else { if (query != null) { var q = new URLSearchParams(query); - q.delete("s"); + q.delete("nf_s"); var newq = q.toString(); if (newq != null && newq.length > 0) { query = "?" + newq; diff --git a/apps/i2psnark/resources/themes/dark/snark.css b/apps/i2psnark/resources/themes/dark/snark.css index ff10571f7..f392273d9 100644 --- a/apps/i2psnark/resources/themes/dark/snark.css +++ b/apps/i2psnark/resources/themes/dark/snark.css @@ -224,6 +224,27 @@ _:-ms-lang(x), .snarknavbar { margin-top: 0 !important; } +#search { + display: inline-block; + position: absolute; + top: 6px; + right: 3px; +} + +#searchbox { + background: #f60 url(/themes/console/images/buttons/search.png) 7px center no-repeat !important; + margin: 2px 4px 2px 24px !important; + padding: 4px 32px 4px 32px !important; + color: black; +} + +#searchcancel { + background: url(images/cancel.png); + margin: 2px 4px 2px -28px; + color: transparent; + border: none; +} + /* end topnav */ /* screenlog */ diff --git a/apps/i2psnark/resources/themes/light/snark.css b/apps/i2psnark/resources/themes/light/snark.css index c3e3391f0..18134c414 100644 --- a/apps/i2psnark/resources/themes/light/snark.css +++ b/apps/i2psnark/resources/themes/light/snark.css @@ -229,6 +229,27 @@ button::-moz-focus-inner, input::-moz-focus-inner { background: #f60 url(images/button_tracker_active.png) 8px center no-repeat; } +#search { + display: inline-block; + position: absolute; + top: 6px; + right: 3px; +} + +#searchbox { + background: #f60 url(/themes/console/images/buttons/search.png) 7px center no-repeat !important; + margin: 2px 4px 2px 24px !important; + padding: 4px 32px 4px 32px !important; + color: black; +} + +#searchcancel { + background: url(images/cancel.png); + margin: 2px 4px 2px -28px; + color: transparent; + border: none; +} + /* end top nav */ /* screenlog */ diff --git a/apps/i2psnark/resources/themes/ubergine/snark.css b/apps/i2psnark/resources/themes/ubergine/snark.css index 6394cecea..e3afeb55d 100644 --- a/apps/i2psnark/resources/themes/ubergine/snark.css +++ b/apps/i2psnark/resources/themes/ubergine/snark.css @@ -231,7 +231,6 @@ _:-ms-lang(x), .snarkNav:last-child[href="/i2psnark/"] { #search { display: inline-block; - float: right; position: absolute; top: 6px; right: 3px; diff --git a/apps/i2psnark/resources/themes/vanilla/snark.css b/apps/i2psnark/resources/themes/vanilla/snark.css index a119bc100..1a70c5cac 100644 --- a/apps/i2psnark/resources/themes/vanilla/snark.css +++ b/apps/i2psnark/resources/themes/vanilla/snark.css @@ -272,6 +272,27 @@ _:-ms-lang(x), .snarkNav:link, .snarkNav:visited { transition: ease box-shadow 0.1s; } +#search { + display: inline-block; + position: absolute; + top: 6px; + right: 3px; +} + +#searchbox { + background: #f60 url(/themes/console/images/buttons/search.png) 7px center no-repeat !important; + margin: 2px 4px 2px 24px !important; + padding: 4px 32px 4px 32px !important; + color: black; +} + +#searchcancel { + background: url(images/cancel.png); + margin: 2px 4px 2px -28px; + color: transparent; + border: none; +} + /* end topnav */ /* screenlog */ diff --git a/apps/jetty/java/src/net/i2p/servlet/filters/XSSRequestWrapper.java b/apps/jetty/java/src/net/i2p/servlet/filters/XSSRequestWrapper.java index b24c3d324..163505906 100644 --- a/apps/jetty/java/src/net/i2p/servlet/filters/XSSRequestWrapper.java +++ b/apps/jetty/java/src/net/i2p/servlet/filters/XSSRequestWrapper.java @@ -26,6 +26,8 @@ public class XSSRequestWrapper extends HttpServletRequestWrapper { private static final Pattern parameterValuePattern = Pattern.compile(SystemVersion.isWindows() ? WIN_PATTERN : NON_WIN_PATTERN); private static final Pattern headerValuePattern = Pattern.compile("^[a-zA-Z0-9()\\-=\\*\\.\\?;,+\\/:&_ \"]*$"); private static final String NOFILTER = "nofilter_"; + // shorter flavor + private static final String NOFILTER2 = "nf_"; public XSSRequestWrapper(HttpServletRequest servletRequest) { super(servletRequest); @@ -33,11 +35,12 @@ public class XSSRequestWrapper extends HttpServletRequestWrapper { /** * Parameter names starting with "nofilter_" will not be filtered. + * As of 0.9.58, names starting with "nf_" will not be filtered. */ @Override public String[] getParameterValues(String parameter) { String[] values = super.getParameterValues(parameter); - if (parameter.startsWith(NOFILTER)) + if (parameter.startsWith(NOFILTER) || parameter.startsWith(NOFILTER2)) return values; if (values == null) { @@ -70,11 +73,12 @@ public class XSSRequestWrapper extends HttpServletRequestWrapper { /** * Parameter names starting with "nofilter_" will not be filtered. + * As of 0.9.58, names starting with "nf_" will not be filtered. */ @Override public String getParameter(String parameter) { String value = super.getParameter(parameter); - if (parameter.startsWith(NOFILTER)) + if (parameter.startsWith(NOFILTER) || parameter.startsWith(NOFILTER2)) return value; String rv = stripXSS(value, parameterValuePattern); if (value != null && rv == null) { @@ -86,6 +90,7 @@ public class XSSRequestWrapper extends HttpServletRequestWrapper { /** * Parameter names starting with "nofilter_" will not be filtered. + * As of 0.9.58, names starting with "nf_" will not be filtered. */ @Override public Map getParameterMap() {