From 7ef528bbde9aa8dda561a24236d1a2e0177c0e04 Mon Sep 17 00:00:00 2001
From: jrandom <jrandom>
Date: Fri, 25 Jun 2004 17:18:21 +0000
Subject: [PATCH] add some minimal security to the admin console, requiring a
passphrase to be entered when updating the clock offset this works by a
simple substring match of the URL - if the router.config contains the
adminTimePassphrase=blah, the time update will only succeed if the URL
contains "blah" in it if the router.config does NOT contain an
adminTimePassphrase, the time update WILL BE REFUSED. aka to use the
timestamper, you MUST set adminTimePassphrase AND update the
clientApp.0.args= line to include the passphrase in the URL! e.g.
clientApp.0.args=http://localhost:7655/setTime?blah pool.ntp.org pool.ntp.org
pool.ntp.org
---
installer/java/src/router.config.template | 8 +++++-
.../src/net/i2p/router/admin/AdminRunner.java | 27 +++++++++++++++++--
2 files changed, 32 insertions(+), 3 deletions(-)
diff --git a/installer/java/src/router.config.template b/installer/java/src/router.config.template
index 8b5a8aaccf..bd235707b5 100644
--- a/installer/java/src/router.config.template
+++ b/installer/java/src/router.config.template
@@ -168,7 +168,13 @@ router.maxWaitingJobs=40
clientApp.0.main=net.i2p.time.Timestamper
clientApp.0.name=Timestamper
clientApp.0.onBoot=true
-clientApp.0.args=http://localhost:7655/setTime?k=v pool.ntp.org pool.ntp.org pool.ntp.org
+clientApp.0.args=http://localhost:7655/setTime?putTheValueFromBelowHere pool.ntp.org pool.ntp.org pool.ntp.org
+
+# The admin time passphrase, used to prevent unauthorized people from updating your
+# routers time. The value should be included in the timestamper's args above,
+# otherwise it wont honor timestamp updates. You shouldnt include any spaces or funky
+# characters - just pick some random numbers.
+adminTimePassphrase=pleaseSetSomeValueHere
# SAM bridge (a simplified socket based protocol for using I2P - listens on port 7656. see
# the specs at http://www.i2p.net/node/view/144 for more info)
diff --git a/router/java/src/net/i2p/router/admin/AdminRunner.java b/router/java/src/net/i2p/router/admin/AdminRunner.java
index 994babb213..2a32bec0b9 100644
--- a/router/java/src/net/i2p/router/admin/AdminRunner.java
+++ b/router/java/src/net/i2p/router/admin/AdminRunner.java
@@ -51,8 +51,12 @@ class AdminRunner implements Runnable {
} else if (command.indexOf("/profile/") >= 0) {
replyText(out, getProfile(command));
} else if (command.indexOf("setTime") >= 0) {
- setTime(command);
- reply(out, "<html><body>Time updated</body></html>");
+ if (allowTimeUpdate(command)) {
+ setTime(command);
+ reply(out, "<html><body>Time updated</body></html>");
+ } else {
+ reply(out, "<html><body>Time not updated</body></html>");
+ }
} else if (command.indexOf("/shutdown") >= 0) {
reply(out, shutdown(command));
} else if (true || command.indexOf("routerConsole.html") > 0) {
@@ -60,6 +64,25 @@ class AdminRunner implements Runnable {
}
}
+ private boolean allowTimeUpdate(String command) {
+ String pass = _context.getProperty("adminTimePassphrase");
+ if ( (pass == null) || (pass.trim().length() <= 0) ) {
+ if (_log.shouldLog(Log.ERROR))
+ _log.error("No passphrase for update time from " + _socket.getInetAddress()
+ + ":" + _socket.getPort());
+ return false;
+ }
+
+ if (command.indexOf(pass) != -1) {
+ return true;
+ } else {
+ if (_log.shouldLog(Log.ERROR))
+ _log.error("Invalid passphrase for update time from " + _socket.getInetAddress()
+ + ":" + _socket.getPort());
+ return false;
+ }
+ }
+
private void reply(OutputStream out, String content) throws IOException {
StringBuffer reply = new StringBuffer(10240);
reply.append("HTTP/1.1 200 OK\n");
--
GitLab