0.3: verify dest

build.xml

@@ -11,7 +11,7 @@
         <delete file="plugin/i2ptunnel.config" />
         <!-- get version number -->
         <buildnumber file="scripts/build.number" />
-        <property name="release.number" value="0.2" />
+        <property name="release.number" value="0.3" />
 
         <!-- make the update xpi2p -->
         <!-- this contains everything except i2ptunnel.config -->

src/build.xml

@@ -10,7 +10,6 @@
         <pathelement location="${i2plib}/i2p.jar" />
         <pathelement location="${i2plib}/i2ptunnel.jar" />
         <pathelement location="${i2plib}/i2psnark.jar" />
-        <pathelement location="${i2plib}/routerconsole.jar" />
         <pathelement location="${jettylib}/ant.jar"/>
         <pathelement location="${jettylib}/org.mortbay.jetty.jar"/>
         <pathelement location="${jettylib}/jasper-compiler.jar" />

src/jsp/announce.jsp

@@ -28,6 +28,7 @@
 	// would be nice to make these configurable
 	final int MAX_RESPONSES = 25;
 	final int INTERVAL = 27*60;
+	final boolean ALLOW_IP_MISMATCH = false;
 
 	// so the chars will turn into bytes correctly
 	request.setCharacterEncoding("ISO-8859-1");
@@ -47,14 +48,15 @@
 	String event = request.getParameter("event");
 	String ip = request.getParameter("ip");
 	String numwant = request.getParameter("numwant");
-	// ignored, use someday to enforce destination
-        String him = request.getHeader("X-I2P-DestB32");
+	// use to enforce destination
+        String him = request.getHeader("X-I2P-DestB64");
         String xff = request.getHeader("X-Forwarded-For");
+        String xfs = request.getHeader("X-Forwarded-Server");
 
 	boolean fail = false;
 	String msg = "bad announce";
 
-	if (xff != null) {
+	if (xff != null || xfs != null) {
 		fail = true;
 		msg = "Non-I2P access denied";
 	        response.setStatus(403, msg);
@@ -134,6 +136,14 @@
 			want = 0;
 	} catch (NumberFormatException nfe) {};
 
+	// spoof check
+	// if him == null, we are not using the I2P HTTP server tunnel, or something is wrong
+	boolean matchIP = ALLOW_IP_MISMATCH || him == null || ip.equals(him);
+	if (want <= 0 && (!matchIP) && !fail) {
+		fail = true;
+		msg = "ip mismatch";
+	}
+
 	long left = 0;
 	if (!"completed".equals(event)) {
 		try {
@@ -149,7 +159,7 @@
 		m.put("failure reason", msg);		
 	} else if ("stopped".equals(event)) {
 		Peers peers = torrents.get(ih);
-		if (peers != null)
+		if (matchIP && peers != null)
 			peers.remove(pid);
 		m.put("interval", Integer.valueOf(INTERVAL));
 	} else {
@@ -165,11 +175,16 @@
 		Peer p = peers.get(pid);
 		if (p == null) {
 			p = new Peer(pid.getData(), d);
-			Peer p2 = peers.putIfAbsent(pid, p);
-			if (p2 != null)
-				p = p2;
+			// don't add if spoofed
+			if (matchIP) {
+				Peer p2 = peers.putIfAbsent(pid, p);
+				if (p2 != null)
+					p = p2;
+			}
 		}
-		p.setLeft(left);
+		// don't update if spoofed
+		if (matchIP)
+			p.setLeft(left);
 
 		m.put("interval", Integer.valueOf(INTERVAL));
 		int size = peers.size();

src/jsp/scrape.jsp

@@ -33,11 +33,12 @@
         response.setHeader("Pragma", "no-cache");
 	String info_hash = request.getParameter("info_hash");
         String xff = request.getHeader("X-Forwarded-For");
+        String xfs = request.getHeader("X-Forwarded-Server");
 
 	boolean fail = false;
 	String msg = "bad";
 
-	if (xff != null) {
+	if (xff != null || xfs != null) {
 		fail = true;
 		msg = "Non-I2P access denied";
 	        response.setStatus(403, msg);

src/jsp/seedless.jsp

@@ -28,6 +28,7 @@
 	// unused, we don't accept announces
 	String him = request.getHeader("X-I2P-DestB32");
         String xff = request.getHeader("X-Forwarded-For");
+        String xfs = request.getHeader("X-Forwarded-Server");
 
 	response.setContentType("text/plain");
 	response.setHeader("X-Seedless", me);
@@ -35,7 +36,7 @@
 	final int US_MINUTES = 360;
 	final int PEER_MINUTES = 60;
 
-	if (xff != null) {
+	if (xff != null || xfs != null) {
 		String msg = "Non-I2P access denied";
 	        response.setStatus(403, msg);
 		out.println(msg);