diff --git a/webui/src/main/java/com/muwire/webui/DownloadServlet.java b/webui/src/main/java/com/muwire/webui/DownloadServlet.java
index 0f8f9d54..9641805a 100644
--- a/webui/src/main/java/com/muwire/webui/DownloadServlet.java
+++ b/webui/src/main/java/com/muwire/webui/DownloadServlet.java
@@ -38,13 +38,17 @@ public class DownloadServlet extends HttpServlet {
@Override
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
+ if (downloadManager == null) {
+ resp.sendError(403, "Not initialized");
+ return;
+ }
StringBuilder sb = new StringBuilder();
sb.append("");
sb.append("");
downloadManager.getDownloaders().forEach(d -> {
sb.append("");
sb.append("").append(Base64.encode(d.getInfoHash().getRoot())).append("");
- sb.append("").append(d.getFile().getName()).append("");
+ sb.append("").append(DataHelper.escapeHTML(d.getFile().getName())).append("");
sb.append("").append(d.getCurrentState().toString()).append("");
int speed = d.speed();
sb.append("").append(DataHelper.formatSize2Decimal(speed)).append("B/sec").append("");
@@ -70,6 +74,10 @@ public class DownloadServlet extends HttpServlet {
});
sb.append("");
resp.setContentType("text/xml");
+ resp.setCharacterEncoding("UTF-8");
+ resp.setDateHeader("Expires", 0);
+ resp.setHeader("Pragma", "no-cache");
+ resp.setHeader("Cache-Control", "no-store, max-age=0, no-cache, must-revalidate");
resp.getWriter().write(sb.toString());
resp.getWriter().flush();
}
@@ -80,7 +88,15 @@ public class DownloadServlet extends HttpServlet {
String infoHashB64 = req.getParameter("infoHash");
InfoHash infoHash = new InfoHash(Base64.decode(infoHashB64));
String action = req.getParameter("action");
+ if (action == null) {
+ resp.sendError(403, "Bad action param");
+ return;
+ }
if (action.equals("start")) {
+ if (core == null) {
+ resp.sendError(403, "Not initialized");
+ return;
+ }
UUID uuid = UUID.fromString(req.getParameter("uuid"));
Set results = searchManager.getResults().get(uuid).getByInfoHash(infoHash);
@@ -95,6 +111,10 @@ public class DownloadServlet extends HttpServlet {
Thread.sleep(100);
} catch (InterruptedException e) {}
} else if (action.equals("cancel")) {
+ if (downloadManager == null) {
+ resp.sendError(403, "Not initialized");
+ return;
+ }
downloadManager.getDownloaders().stream().filter(d -> d.getInfoHash().equals(infoHash)).findAny().
ifPresent(d -> {
d.cancel();
diff --git a/webui/src/main/java/com/muwire/webui/SearchServlet.java b/webui/src/main/java/com/muwire/webui/SearchServlet.java
index 9aa27d69..90090baa 100644
--- a/webui/src/main/java/com/muwire/webui/SearchServlet.java
+++ b/webui/src/main/java/com/muwire/webui/SearchServlet.java
@@ -24,6 +24,10 @@ public class SearchServlet extends HttpServlet {
@Override
protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
+ if (searchManager == null) {
+ resp.sendError(403, "Not initialized");
+ return;
+ }
String search = req.getParameter("search");
searchManager.newSearch(search);
resp.sendRedirect("/MuWire/Home.jsp");
@@ -34,25 +38,33 @@ public class SearchServlet extends HttpServlet {
@Override
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
String section = req.getParameter("section");
+ if (section == null) {
+ resp.sendError(403, "Bad section param");
+ return;
+ }
StringBuilder sb = new StringBuilder();
sb.append("");
if (section.equals("groupBySender")) {
+ if (searchManager == null) {
+ resp.sendError(403, "Not initialized");
+ return;
+ }
sb.append("");
for (SearchResults results : searchManager.getResults().values()) {
sb.append("");
sb.append("").append(results.getUUID()).append("");
- sb.append("").append(results.getSearch()).append("");
+ sb.append("").append(DataHelper.escapeHTML(results.getSearch())).append("");
Map> bySender = results.getBySender();
sb.append("");
bySender.forEach((sender, resultsFromSender) -> {
sb.append("");
sb.append("");
- sb.append(sender.getHumanReadableName());
+ sb.append(DataHelper.escapeHTML(sender.getHumanReadableName()));
sb.append("");
resultsFromSender.forEach(result -> {
sb.append("");
sb.append("");
- sb.append(result.getName());
+ sb.append(DataHelper.escapeHTML(result.getName()));
sb.append("");
sb.append("");
sb.append(DataHelper.formatSize2Decimal(result.getSize(), false)).append("B");
@@ -70,22 +82,26 @@ public class SearchServlet extends HttpServlet {
}
sb.append("");
} else if (section.equals("groupByFile")) {
+ if (searchManager == null) {
+ resp.sendError(403, "Not initialized");
+ return;
+ }
sb.append("");
for (SearchResults results : searchManager.getResults().values()) {
sb.append("");
sb.append("").append(results.getUUID()).append("");
- sb.append("").append(results.getSearch()).append("");
+ sb.append("").append(DataHelper.escapeHTML(results.getSearch())).append("");
Map> byInfohash = results.getByInfoHash();
sb.append("");
byInfohash.forEach((infoHash, resultSet) -> {
sb.append("");
UIResultEvent first = resultSet.iterator().next();
sb.append("").append(Base64.encode(infoHash.getRoot())).append("");
- sb.append("").append(first.getName()).append("");
+ sb.append("").append(DataHelper.escapeHTML(first.getName())).append("");
sb.append("").append(DataHelper.formatSize2Decimal(first.getSize(), false)).append("B").append("");
resultSet.forEach(result -> {
sb.append("");
- sb.append("").append(result.getSender().getHumanReadableName()).append("");
+ sb.append("").append(DataHelper.escapeHTML(result.getSender().getHumanReadableName())).append("");
sb.append("");
});
sb.append("");
@@ -95,11 +111,22 @@ public class SearchServlet extends HttpServlet {
}
sb.append("");
} else if (section.equals("connectionsCount")) {
+ if (connectionCounter == null) {
+ resp.sendError(403, "Not initialized");
+ return;
+ }
sb.append("");
sb.append(connectionCounter.getConnections());
sb.append("");
+ } else {
+ resp.sendError(403, "Bad section param");
+ return;
}
resp.setContentType("text/xml");
+ resp.setCharacterEncoding("UTF-8");
+ resp.setDateHeader("Expires", 0);
+ resp.setHeader("Pragma", "no-cache");
+ resp.setHeader("Cache-Control", "no-store, max-age=0, no-cache, must-revalidate");
resp.getWriter().write(sb.toString());
resp.flushBuffer();
}
diff --git a/webui/src/main/js/conncount.js b/webui/src/main/js/conncount.js
index 0b7d21c0..ed117dc5 100644
--- a/webui/src/main/js/conncount.js
+++ b/webui/src/main/js/conncount.js
@@ -5,7 +5,7 @@ function refreshConnectionsCount() {
var connections = this.responseXML.getElementsByTagName("Connections");
var count = connections[0].childNodes[0].nodeValue
var connectionCountSpan = document.getElementById("connectionsCount");
- var countString = "Connections: "+count;
+ var countString = ""+count;
connectionCountSpan.innerHTML = countString;
}
}
diff --git a/webui/src/main/webapp/Downloads.jsp b/webui/src/main/webapp/Downloads.jsp
index 8bef8c77..abbe543c 100644
--- a/webui/src/main/webapp/Downloads.jsp
+++ b/webui/src/main/webapp/Downloads.jsp
@@ -15,8 +15,8 @@
<%@include file="css.jsi"%>
-
+
<%@include file="header.jsi"%>
Downloads:
diff --git a/webui/src/main/webapp/Home.jsp b/webui/src/main/webapp/Home.jsp
index 6619e779..188a7c7c 100644
--- a/webui/src/main/webapp/Home.jsp
+++ b/webui/src/main/webapp/Home.jsp
@@ -19,8 +19,8 @@
<%@include file="css.jsi"%>
-
+
<%@include file="header.jsi"%>
<% if (groupBy.equals("sender")) { %>
diff --git a/webui/src/main/webapp/header.jsi b/webui/src/main/webapp/header.jsi
index 90797d5a..45268efb 100644
--- a/webui/src/main/webapp/header.jsi
+++ b/webui/src/main/webapp/header.jsi
@@ -6,7 +6,7 @@
${persona}
- Connections : 0
+ Connections: 0
<% if ("Home".equals(pagetitle)) { %>