* deny adminForLocalhost and intranet network setup also on bootup and not only on network switch

* require authentication for yacybot what ever adminForLocalhost is set to (after this patch, is the rule from above really nesseccary, the crawler also checks the robots.txt) git-svn-id: https://svn.berlios.de/svnroot/repos/yacy/trunk@7376 6c8d7289-2bf4-0310-a012-ef5d649a1542
14 years ago · 2521677a45
parent 9d2159582f
commit 2521677a45
2 changed files with 17 additions and 2 deletions
--- a/source/de/anomic/http/server/HTTPDFileHandler.java
+++ b/source/de/anomic/http/server/HTTPDFileHandler.java
@ -299,7 +299,7 @@ public final class HTTPDFileHandler {
            final boolean accountEmpty = adminAccountBase64MD5.length() == 0;
            final boolean softauth = accessFromLocalhost && authorization != null && authorization.length() > 6 && (adminAccountBase64MD5.equals(authorization.substring(6)));

-            if (!softauth && !grantedForLocalhost && protectedPage && !accountEmpty) {
+            if (protectedPage && ((!softauth && !grantedForLocalhost && !accountEmpty) || requestHeader.userAgent().startsWith("yacybot"))) {
                // authentication required
                if (authorization == null) {
                    // no authorization given in response. Ask for that
--- a/source/de/anomic/search/Switchboard.java
+++ b/source/de/anomic/search/Switchboard.java
@ -552,6 +552,21 @@ public final class Switchboard extends serverSwitch {
                isGlobalMode(),
                this.domainList); // Intranet and Global mode may be both true!
        
+        // check status of account configuration: when local url crawling is allowed, it is not allowed
+        // that an automatic authorization of localhost is done, because in this case crawls from local
+        // addresses are blocked to prevent attack szenarios where remote pages contain links to localhost
+        // addresses that can steer a YaCy peer
+        if ((crawlStacker.acceptLocalURLs()) && (getConfigBool("adminAccountForLocalhost", false))) {
+            setConfig("adminAccountForLocalhost", false);
+            if (getConfig(HTTPDemon.ADMIN_ACCOUNT_B64MD5, "").startsWith("0000")) {
+                // the password was set automatically with a random value.
+                // We must remove that here to prevent that a user cannot log in any more
+                setConfig(HTTPDemon.ADMIN_ACCOUNT_B64MD5, "");
+                // after this a message must be generated to alert the user to set a new password
+                log.logInfo("RANDOM PASSWORD REMOVED! User must set a new password");
+            }
+        }
+        
        // initializing dht chunk generation
        this.dhtMaxReferenceCount = (int) getConfigLong(SwitchboardConstants.INDEX_DIST_CHUNK_SIZE_START, 50);