From 01cc32217fb2dccaf20284261579addca0d42474 Mon Sep 17 00:00:00 2001 From: Michael Peter Christen Date: Tue, 22 Dec 2020 00:46:47 +0100 Subject: [PATCH] fixed apicall call method parameters and verification in transaction manager which did not have and exception for localhost/basic authentication --- bin/clearall.sh | 2 +- bin/clearcache.sh | 2 +- bin/clearindex.sh | 2 +- bin/deleteurl.sh | 2 +- bin/importmediawiki.sh | 2 +- bin/passwd.sh | 2 +- source/net/yacy/data/TransactionManager.java | 25 ++++++++++---------- stopYACY.sh | 2 +- updateYACY.sh | 2 +- 9 files changed, 21 insertions(+), 20 deletions(-) diff --git a/bin/clearall.sh b/bin/clearall.sh index 2f157f6a9..fc1a019b8 100755 --- a/bin/clearall.sh +++ b/bin/clearall.sh @@ -1,3 +1,3 @@ #!/usr/bin/env sh cd "`dirname $0`" -./apicall.sh "IndexControlURLs_p.html" "deletecomplete=&deleteIndex=on&deleteSolr=on&deleteCrawlQueues=on&deleteRobots=on&deleteSearchFl=on&deleteCache=on" > /dev/null +./apicall.sh "IndexControlURLs_p.html?deletecomplete=&deleteIndex=on&deleteSolr=on&deleteCrawlQueues=on&deleteRobots=on&deleteSearchFl=on&deleteCache=on" > /dev/null diff --git a/bin/clearcache.sh b/bin/clearcache.sh index 97de5f40e..ead3fe4a9 100755 --- a/bin/clearcache.sh +++ b/bin/clearcache.sh @@ -1,3 +1,3 @@ #!/usr/bin/env sh cd "`dirname $0`" -./apicall.sh "IndexControlURLs_p.html" "deleteIndex=off&deleteSolr=off&deleteCache=on&deleteCrawlQueues=off&deleteRobots=on&deleteSearchFl=on&deletecomplete=" > /dev/null +./apicall.sh "IndexControlURLs_p.html?deleteIndex=off&deleteSolr=off&deleteCache=on&deleteCrawlQueues=off&deleteRobots=on&deleteSearchFl=on&deletecomplete=" > /dev/null diff --git a/bin/clearindex.sh b/bin/clearindex.sh index 773bb824b..21d88201d 100755 --- a/bin/clearindex.sh +++ b/bin/clearindex.sh @@ -1,3 +1,3 @@ #!/usr/bin/env sh cd "`dirname $0`" -./apicall.sh "IndexControlURLs_p.html" "deletecomplete=&deleteIndex=on&deleteSolr=on&deleteCrawlQueues=on&deleteRobots=on&deleteSearchFl=on&deleteCache=off" > /dev/null +./apicall.sh "IndexControlURLs_p.html?deletecomplete=&deleteIndex=on&deleteSolr=on&deleteCrawlQueues=on&deleteRobots=on&deleteSearchFl=on&deleteCache=off" > /dev/null diff --git a/bin/deleteurl.sh b/bin/deleteurl.sh index e5cb00da3..7a8b3ef4a 100755 --- a/bin/deleteurl.sh +++ b/bin/deleteurl.sh @@ -1,3 +1,3 @@ #!/usr/bin/env sh cd "`dirname $0`" -./apicall.sh "IndexControlURLs_p.html" "urlhashdeleteall=&urlstring=$1" > /dev/null +./apicall.sh "IndexControlURLs_p.html?urlhashdeleteall=&urlstring=$1" > /dev/null diff --git a/bin/importmediawiki.sh b/bin/importmediawiki.sh index 7f5e829f8..f37e708c1 100755 --- a/bin/importmediawiki.sh +++ b/bin/importmediawiki.sh @@ -1,3 +1,3 @@ #!/usr/bin/env sh cd "`dirname $0`" -./apicall.sh "IndexImportMediawiki_p.html" "file=$1" > /dev/null +./apicall.sh "IndexImportMediawiki_p.html?file=$1" > /dev/null diff --git a/bin/passwd.sh b/bin/passwd.sh index 770429b18..34ebc97c6 100755 --- a/bin/passwd.sh +++ b/bin/passwd.sh @@ -38,7 +38,7 @@ if [ -f "$YACY_DATA_PATH/yacy.running" ]; then echo "YaCy server appears to be running. Calling the ConfigAccounts_p API..." # When the server is running we can not directly modify the yacy.conf file so we use the ConfigAccounts_p API. # Otherwise the new password provided here could be overwritten by the server when it saves its in-memory configuration to the yacy.conf file - (./apicall.sh "ConfigAccounts_p.html" "setAdmin=&adminuser=$YACY_ADMIN_USER_NAME&adminpw1=$YACY_ADMIN_PASSWORD&adminpw2=$YACY_ADMIN_PASSWORD&access=" && \ + (./apicall.sh "ConfigAccounts_p.html?setAdmin=&adminuser=$YACY_ADMIN_USER_NAME&adminpw1=$YACY_ADMIN_PASSWORD&adminpw2=$YACY_ADMIN_PASSWORD&access=" > /dev/null && \ echo "Password successfully changed for User Name '$YACY_ADMIN_USER_NAME'.") || \ (echo "Password setting failed." && exit 1) else diff --git a/source/net/yacy/data/TransactionManager.java b/source/net/yacy/data/TransactionManager.java index 92543df16..2a5487ba5 100644 --- a/source/net/yacy/data/TransactionManager.java +++ b/source/net/yacy/data/TransactionManager.java @@ -61,7 +61,7 @@ public class TransactionManager { * @throws NullPointerException * when header parameter is null. */ - private static String getCurrentUserName(final RequestHeader header) { + private static String getUserName(final RequestHeader header) { String userName = header.getRemoteUser(); if (userName == null && header.accessFromLocalhost() && Switchboard.getSwitchboard() != null) { @@ -124,7 +124,7 @@ public class TransactionManager { } /* Check this comes from an authenticated user */ - final String userName = getCurrentUserName(header); + final String userName = getUserName(header); if (userName == null) { throw new IllegalArgumentException("User is not authenticated"); } @@ -152,23 +152,24 @@ public class TransactionManager { * @throws BadTransactionException when a condition for valid transaction is not met. */ public static void checkPostTransaction(final RequestHeader header, final serverObjects post) { - if (header == null || post == null) { - throw new IllegalArgumentException("Missing required parameters."); - } + if (header == null) + throw new IllegalArgumentException("Missing required header parameters."); + + if (header.accessFromLocalhost()) return; // this is one exception that we accept if basc authentication is gven - if(!HeaderFramework.METHOD_POST.equals(header.getMethod())) { + if (post == null) // non-local requests must use POST parameters + throw new IllegalArgumentException("Missing required post parameters."); + + if (!HeaderFramework.METHOD_POST.equals(header.getMethod())) // non-local users must use POST protocol throw new DisallowedMethodException("HTTP POST method is the only one authorized."); - } - String userName = getCurrentUserName(header); - if (userName == null) { + String userName = getUserName(header); + if (userName == null) throw new BadTransactionException("User is not authenticated."); - } final String transactionToken = post.get(TRANSACTION_TOKEN_PARAM); - if(transactionToken == null) { + if (transactionToken == null) throw new TemplateMissingParameterException("Missing transaction token."); - } final String token = new HmacUtils(HmacAlgorithms.HMAC_SHA_1, SIGNING_KEY) .hmacHex(TOKEN_SEED + userName + header.getPathInfo()); diff --git a/stopYACY.sh b/stopYACY.sh index 4818819f3..e57f030a6 100755 --- a/stopYACY.sh +++ b/stopYACY.sh @@ -20,7 +20,7 @@ if [ ! -f "$YACY_DATA_PATH/yacy.running" ]; then exit 1 fi -(bin/apicall.sh "Steering.html" "shutdown=true" && \ +(bin/apicall.sh "Steering.html?shutdown=true" > /dev/null && \ echo "Please wait until the YaCy daemon process terminates [wget]" && \ echo "You can monitor this with 'tail -f $YACY_DATA_PATH/LOG/yacy00.log' and 'fuser $YACY_DATA_PATH/LOG/yacy00.log'") || \ exit $? diff --git a/updateYACY.sh b/updateYACY.sh index 0e2d8c125..878976a0a 100755 --- a/updateYACY.sh +++ b/updateYACY.sh @@ -3,7 +3,7 @@ cd `dirname $0` if [ -x `which wget` ] then - bin/apicall.sh "ConfigUpdate_p.html?autoUpdate=" + bin/apicall.sh "ConfigUpdate_p.html?autoUpdate=" > /dev/null elif [ -x `which java` ] then