From beab2be7139b1255084699783622ae041934cc8a Mon Sep 17 00:00:00 2001 From: Zlatin Balevsky Date: Thu, 5 Dec 2019 12:19:10 +0000 Subject: [PATCH] null checks on unitialized core, html escaping, move scriptst to , thanks zzz --- .../com/muwire/webui/DownloadServlet.java | 22 ++++++++++- .../java/com/muwire/webui/SearchServlet.java | 39 ++++++++++++++++--- webui/src/main/js/conncount.js | 2 +- webui/src/main/webapp/Downloads.jsp | 2 +- webui/src/main/webapp/Home.jsp | 2 +- webui/src/main/webapp/header.jsi | 2 +- webui/src/main/webapp/initcode.jsi | 4 +- 7 files changed, 60 insertions(+), 13 deletions(-) diff --git a/webui/src/main/java/com/muwire/webui/DownloadServlet.java b/webui/src/main/java/com/muwire/webui/DownloadServlet.java index 0f8f9d54..9641805a 100644 --- a/webui/src/main/java/com/muwire/webui/DownloadServlet.java +++ b/webui/src/main/java/com/muwire/webui/DownloadServlet.java @@ -38,13 +38,17 @@ public class DownloadServlet extends HttpServlet { @Override protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException { + if (downloadManager == null) { + resp.sendError(403, "Not initialized"); + return; + } StringBuilder sb = new StringBuilder(); sb.append(""); sb.append(""); downloadManager.getDownloaders().forEach(d -> { sb.append(""); sb.append("").append(Base64.encode(d.getInfoHash().getRoot())).append(""); - sb.append("").append(d.getFile().getName()).append(""); + sb.append("").append(DataHelper.escapeHTML(d.getFile().getName())).append(""); sb.append("").append(d.getCurrentState().toString()).append(""); int speed = d.speed(); sb.append("").append(DataHelper.formatSize2Decimal(speed)).append("B/sec").append(""); @@ -70,6 +74,10 @@ public class DownloadServlet extends HttpServlet { }); sb.append(""); resp.setContentType("text/xml"); + resp.setCharacterEncoding("UTF-8"); + resp.setDateHeader("Expires", 0); + resp.setHeader("Pragma", "no-cache"); + resp.setHeader("Cache-Control", "no-store, max-age=0, no-cache, must-revalidate"); resp.getWriter().write(sb.toString()); resp.getWriter().flush(); } @@ -80,7 +88,15 @@ public class DownloadServlet extends HttpServlet { String infoHashB64 = req.getParameter("infoHash"); InfoHash infoHash = new InfoHash(Base64.decode(infoHashB64)); String action = req.getParameter("action"); + if (action == null) { + resp.sendError(403, "Bad action param"); + return; + } if (action.equals("start")) { + if (core == null) { + resp.sendError(403, "Not initialized"); + return; + } UUID uuid = UUID.fromString(req.getParameter("uuid")); Set results = searchManager.getResults().get(uuid).getByInfoHash(infoHash); @@ -95,6 +111,10 @@ public class DownloadServlet extends HttpServlet { Thread.sleep(100); } catch (InterruptedException e) {} } else if (action.equals("cancel")) { + if (downloadManager == null) { + resp.sendError(403, "Not initialized"); + return; + } downloadManager.getDownloaders().stream().filter(d -> d.getInfoHash().equals(infoHash)).findAny(). ifPresent(d -> { d.cancel(); diff --git a/webui/src/main/java/com/muwire/webui/SearchServlet.java b/webui/src/main/java/com/muwire/webui/SearchServlet.java index 9aa27d69..90090baa 100644 --- a/webui/src/main/java/com/muwire/webui/SearchServlet.java +++ b/webui/src/main/java/com/muwire/webui/SearchServlet.java @@ -24,6 +24,10 @@ public class SearchServlet extends HttpServlet { @Override protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException { + if (searchManager == null) { + resp.sendError(403, "Not initialized"); + return; + } String search = req.getParameter("search"); searchManager.newSearch(search); resp.sendRedirect("/MuWire/Home.jsp"); @@ -34,25 +38,33 @@ public class SearchServlet extends HttpServlet { @Override protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException { String section = req.getParameter("section"); + if (section == null) { + resp.sendError(403, "Bad section param"); + return; + } StringBuilder sb = new StringBuilder(); sb.append(""); if (section.equals("groupBySender")) { + if (searchManager == null) { + resp.sendError(403, "Not initialized"); + return; + } sb.append(""); for (SearchResults results : searchManager.getResults().values()) { sb.append(""); sb.append("").append(results.getUUID()).append(""); - sb.append("").append(results.getSearch()).append(""); + sb.append("").append(DataHelper.escapeHTML(results.getSearch())).append(""); Map> bySender = results.getBySender(); sb.append(""); bySender.forEach((sender, resultsFromSender) -> { sb.append(""); sb.append(""); - sb.append(sender.getHumanReadableName()); + sb.append(DataHelper.escapeHTML(sender.getHumanReadableName())); sb.append(""); resultsFromSender.forEach(result -> { sb.append(""); sb.append(""); - sb.append(result.getName()); + sb.append(DataHelper.escapeHTML(result.getName())); sb.append(""); sb.append(""); sb.append(DataHelper.formatSize2Decimal(result.getSize(), false)).append("B"); @@ -70,22 +82,26 @@ public class SearchServlet extends HttpServlet { } sb.append(""); } else if (section.equals("groupByFile")) { + if (searchManager == null) { + resp.sendError(403, "Not initialized"); + return; + } sb.append(""); for (SearchResults results : searchManager.getResults().values()) { sb.append(""); sb.append("").append(results.getUUID()).append(""); - sb.append("").append(results.getSearch()).append(""); + sb.append("").append(DataHelper.escapeHTML(results.getSearch())).append(""); Map> byInfohash = results.getByInfoHash(); sb.append(""); byInfohash.forEach((infoHash, resultSet) -> { sb.append(""); UIResultEvent first = resultSet.iterator().next(); sb.append("").append(Base64.encode(infoHash.getRoot())).append(""); - sb.append("").append(first.getName()).append(""); + sb.append("").append(DataHelper.escapeHTML(first.getName())).append(""); sb.append("").append(DataHelper.formatSize2Decimal(first.getSize(), false)).append("B").append(""); resultSet.forEach(result -> { sb.append(""); - sb.append("").append(result.getSender().getHumanReadableName()).append(""); + sb.append("").append(DataHelper.escapeHTML(result.getSender().getHumanReadableName())).append(""); sb.append(""); }); sb.append(""); @@ -95,11 +111,22 @@ public class SearchServlet extends HttpServlet { } sb.append(""); } else if (section.equals("connectionsCount")) { + if (connectionCounter == null) { + resp.sendError(403, "Not initialized"); + return; + } sb.append(""); sb.append(connectionCounter.getConnections()); sb.append(""); + } else { + resp.sendError(403, "Bad section param"); + return; } resp.setContentType("text/xml"); + resp.setCharacterEncoding("UTF-8"); + resp.setDateHeader("Expires", 0); + resp.setHeader("Pragma", "no-cache"); + resp.setHeader("Cache-Control", "no-store, max-age=0, no-cache, must-revalidate"); resp.getWriter().write(sb.toString()); resp.flushBuffer(); } diff --git a/webui/src/main/js/conncount.js b/webui/src/main/js/conncount.js index 0b7d21c0..ed117dc5 100644 --- a/webui/src/main/js/conncount.js +++ b/webui/src/main/js/conncount.js @@ -5,7 +5,7 @@ function refreshConnectionsCount() { var connections = this.responseXML.getElementsByTagName("Connections"); var count = connections[0].childNodes[0].nodeValue var connectionCountSpan = document.getElementById("connectionsCount"); - var countString = "Connections: "+count; + var countString = ""+count; connectionCountSpan.innerHTML = countString; } } diff --git a/webui/src/main/webapp/Downloads.jsp b/webui/src/main/webapp/Downloads.jsp index 8bef8c77..abbe543c 100644 --- a/webui/src/main/webapp/Downloads.jsp +++ b/webui/src/main/webapp/Downloads.jsp @@ -15,8 +15,8 @@ <%@include file="css.jsi"%> - + <%@include file="header.jsi"%>

Downloads:

diff --git a/webui/src/main/webapp/Home.jsp b/webui/src/main/webapp/Home.jsp index 6619e779..188a7c7c 100644 --- a/webui/src/main/webapp/Home.jsp +++ b/webui/src/main/webapp/Home.jsp @@ -19,8 +19,8 @@ <%@include file="css.jsi"%> - + <%@include file="header.jsi"%> <% if (groupBy.equals("sender")) { %> diff --git a/webui/src/main/webapp/header.jsi b/webui/src/main/webapp/header.jsi index 90797d5a..45268efb 100644 --- a/webui/src/main/webapp/header.jsi +++ b/webui/src/main/webapp/header.jsi @@ -6,7 +6,7 @@
${persona}
- Connections : 0 + Connections: 0
<% if ("Home".equals(pagetitle)) { %>
diff --git a/webui/src/main/webapp/initcode.jsi b/webui/src/main/webapp/initcode.jsi index 1a5b9b7e..626374d7 100644 --- a/webui/src/main/webapp/initcode.jsi +++ b/webui/src/main/webapp/initcode.jsi @@ -1,5 +1,5 @@ <% MuWireClient client = (MuWireClient) application.getAttribute("mwClient"); - String persona = client.getCore().getMe().getHumanReadableName(); - String version = client.getCore().getVersion(); + String persona = client != null ? net.i2p.data.DataHelper.escapeHTML(client.getCore().getMe().getHumanReadableName()) : ""; + String version = client != null ? client.getCore().getVersion() : ""; %>