From 01cc32217fb2dccaf20284261579addca0d42474 Mon Sep 17 00:00:00 2001
From: Michael Peter Christen <mc@yacy.net>
Date: Tue, 22 Dec 2020 00:46:47 +0100
Subject: [PATCH] fixed apicall call method parameters and verification in
 transaction manager which did not have and exception for localhost/basic
 authentication

---
 bin/clearall.sh                              |  2 +-
 bin/clearcache.sh                            |  2 +-
 bin/clearindex.sh                            |  2 +-
 bin/deleteurl.sh                             |  2 +-
 bin/importmediawiki.sh                       |  2 +-
 bin/passwd.sh                                |  2 +-
 source/net/yacy/data/TransactionManager.java | 25 ++++++++++----------
 stopYACY.sh                                  |  2 +-
 updateYACY.sh                                |  2 +-
 9 files changed, 21 insertions(+), 20 deletions(-)

diff --git a/bin/clearall.sh b/bin/clearall.sh
index 2f157f6a9..fc1a019b8 100755
--- a/bin/clearall.sh
+++ b/bin/clearall.sh
@@ -1,3 +1,3 @@
 #!/usr/bin/env sh
 cd "`dirname $0`"
-./apicall.sh "IndexControlURLs_p.html" "deletecomplete=&deleteIndex=on&deleteSolr=on&deleteCrawlQueues=on&deleteRobots=on&deleteSearchFl=on&deleteCache=on" > /dev/null
+./apicall.sh "IndexControlURLs_p.html?deletecomplete=&deleteIndex=on&deleteSolr=on&deleteCrawlQueues=on&deleteRobots=on&deleteSearchFl=on&deleteCache=on" > /dev/null
diff --git a/bin/clearcache.sh b/bin/clearcache.sh
index 97de5f40e..ead3fe4a9 100755
--- a/bin/clearcache.sh
+++ b/bin/clearcache.sh
@@ -1,3 +1,3 @@
 #!/usr/bin/env sh
 cd "`dirname $0`"
-./apicall.sh "IndexControlURLs_p.html" "deleteIndex=off&deleteSolr=off&deleteCache=on&deleteCrawlQueues=off&deleteRobots=on&deleteSearchFl=on&deletecomplete=" > /dev/null
+./apicall.sh "IndexControlURLs_p.html?deleteIndex=off&deleteSolr=off&deleteCache=on&deleteCrawlQueues=off&deleteRobots=on&deleteSearchFl=on&deletecomplete=" > /dev/null
diff --git a/bin/clearindex.sh b/bin/clearindex.sh
index 773bb824b..21d88201d 100755
--- a/bin/clearindex.sh
+++ b/bin/clearindex.sh
@@ -1,3 +1,3 @@
 #!/usr/bin/env sh
 cd "`dirname $0`"
-./apicall.sh "IndexControlURLs_p.html" "deletecomplete=&deleteIndex=on&deleteSolr=on&deleteCrawlQueues=on&deleteRobots=on&deleteSearchFl=on&deleteCache=off" > /dev/null
+./apicall.sh "IndexControlURLs_p.html?deletecomplete=&deleteIndex=on&deleteSolr=on&deleteCrawlQueues=on&deleteRobots=on&deleteSearchFl=on&deleteCache=off" > /dev/null
diff --git a/bin/deleteurl.sh b/bin/deleteurl.sh
index e5cb00da3..7a8b3ef4a 100755
--- a/bin/deleteurl.sh
+++ b/bin/deleteurl.sh
@@ -1,3 +1,3 @@
 #!/usr/bin/env sh
 cd "`dirname $0`"
-./apicall.sh "IndexControlURLs_p.html" "urlhashdeleteall=&urlstring=$1" > /dev/null
+./apicall.sh "IndexControlURLs_p.html?urlhashdeleteall=&urlstring=$1" > /dev/null
diff --git a/bin/importmediawiki.sh b/bin/importmediawiki.sh
index 7f5e829f8..f37e708c1 100755
--- a/bin/importmediawiki.sh
+++ b/bin/importmediawiki.sh
@@ -1,3 +1,3 @@
 #!/usr/bin/env sh
 cd "`dirname $0`"
-./apicall.sh "IndexImportMediawiki_p.html" "file=$1" > /dev/null
+./apicall.sh "IndexImportMediawiki_p.html?file=$1" > /dev/null
diff --git a/bin/passwd.sh b/bin/passwd.sh
index 770429b18..34ebc97c6 100755
--- a/bin/passwd.sh
+++ b/bin/passwd.sh
@@ -38,7 +38,7 @@ if [ -f "$YACY_DATA_PATH/yacy.running" ]; then
 	echo "YaCy server appears to be running. Calling the ConfigAccounts_p API..." 
 	# When the server is running we can not directly modify the yacy.conf file so we use the ConfigAccounts_p API.
 	# Otherwise the new password provided here could be overwritten by the server when it saves its in-memory configuration to the yacy.conf file 
-	(./apicall.sh "ConfigAccounts_p.html" "setAdmin=&adminuser=$YACY_ADMIN_USER_NAME&adminpw1=$YACY_ADMIN_PASSWORD&adminpw2=$YACY_ADMIN_PASSWORD&access=" && \
+	(./apicall.sh "ConfigAccounts_p.html?setAdmin=&adminuser=$YACY_ADMIN_USER_NAME&adminpw1=$YACY_ADMIN_PASSWORD&adminpw2=$YACY_ADMIN_PASSWORD&access=" > /dev/null && \
 	echo "Password successfully changed for User Name '$YACY_ADMIN_USER_NAME'.") || \
 	(echo "Password setting failed." && exit 1)
 else
diff --git a/source/net/yacy/data/TransactionManager.java b/source/net/yacy/data/TransactionManager.java
index 92543df16..2a5487ba5 100644
--- a/source/net/yacy/data/TransactionManager.java
+++ b/source/net/yacy/data/TransactionManager.java
@@ -61,7 +61,7 @@ public class TransactionManager {
 	 * @throws NullPointerException
 	 *             when header parameter is null.
 	 */
-    private static String getCurrentUserName(final RequestHeader header) {
+    private static String getUserName(final RequestHeader header) {
         String userName = header.getRemoteUser();
         
 		if (userName == null && header.accessFromLocalhost() && Switchboard.getSwitchboard() != null) {
@@ -124,7 +124,7 @@ public class TransactionManager {
         }
         
         /* Check this comes from an authenticated user */
-        final String userName = getCurrentUserName(header);
+        final String userName = getUserName(header);
 		if (userName == null) {
 			throw new IllegalArgumentException("User is not authenticated");
 		}
@@ -152,23 +152,24 @@ public class TransactionManager {
      * @throws BadTransactionException when a condition for valid transaction is not met.
      */
 	public static void checkPostTransaction(final RequestHeader header, final serverObjects post) {
-        if (header == null || post == null) {
-        	throw new IllegalArgumentException("Missing required parameters.");
-        }
+        if (header == null)
+            throw new IllegalArgumentException("Missing required header parameters.");
+        
+        if (header.accessFromLocalhost()) return; // this is one exception that we accept if basc authentication is gven
         
-		if(!HeaderFramework.METHOD_POST.equals(header.getMethod())) {
+        if (post == null) // non-local requests must use POST parameters
+            throw new IllegalArgumentException("Missing required post parameters.");
+        
+		if (!HeaderFramework.METHOD_POST.equals(header.getMethod())) // non-local users must use POST protocol
 			throw new DisallowedMethodException("HTTP POST method is the only one authorized.");
-		}
 		
-        String userName = getCurrentUserName(header);
-		if (userName == null) {
+        String userName = getUserName(header);
+		if (userName == null)
 			throw new BadTransactionException("User is not authenticated.");
-		}
 		
 		final String transactionToken = post.get(TRANSACTION_TOKEN_PARAM);
-		if(transactionToken == null) {
+		if (transactionToken == null)
 			throw new TemplateMissingParameterException("Missing transaction token.");
-		}
 		
 		final String token = new HmacUtils(HmacAlgorithms.HMAC_SHA_1, SIGNING_KEY)
 				.hmacHex(TOKEN_SEED + userName + header.getPathInfo());
diff --git a/stopYACY.sh b/stopYACY.sh
index 4818819f3..e57f030a6 100755
--- a/stopYACY.sh
+++ b/stopYACY.sh
@@ -20,7 +20,7 @@ if [ ! -f "$YACY_DATA_PATH/yacy.running" ]; then
 	exit 1
 fi
 
-(bin/apicall.sh "Steering.html" "shutdown=true" && \
+(bin/apicall.sh "Steering.html?shutdown=true" > /dev/null && \
 echo "Please wait until the YaCy daemon process terminates [wget]" && \
 echo "You can monitor this with 'tail -f $YACY_DATA_PATH/LOG/yacy00.log' and 'fuser $YACY_DATA_PATH/LOG/yacy00.log'") || \
 exit $?
diff --git a/updateYACY.sh b/updateYACY.sh
index 0e2d8c125..878976a0a 100755
--- a/updateYACY.sh
+++ b/updateYACY.sh
@@ -3,7 +3,7 @@ cd `dirname $0`
 
 if [ -x `which wget` ]
 then
-	bin/apicall.sh "ConfigUpdate_p.html?autoUpdate="
+	bin/apicall.sh "ConfigUpdate_p.html?autoUpdate=" > /dev/null
 
 elif [ -x `which java` ]
 then