From 65d49df865f60511d22d86fb15c33a082176e7ab Mon Sep 17 00:00:00 2001
From: reger <reger18@arcor.de>
Date: Sun, 26 Aug 2012 22:28:14 +0200
Subject: [PATCH] security fix: clear automtic password only if
 adminAccountForLocalhost=false to prevent remote access to protected pages
 after restart. if adminAccountForLocalhost=true leave automatic password
 unchanged so access from local host is granted but remote access is preventet
 from the 1st second.

---
 source/net/yacy/search/Switchboard.java | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/source/net/yacy/search/Switchboard.java b/source/net/yacy/search/Switchboard.java
index 98f904e0f..d63c31798 100644
--- a/source/net/yacy/search/Switchboard.java
+++ b/source/net/yacy/search/Switchboard.java
@@ -775,7 +775,7 @@ public final class Switchboard extends serverSwitch
         // that an automatic authorization of localhost is done, because in this case crawls from local
         // addresses are blocked to prevent attack szenarios where remote pages contain links to localhost
         // addresses that can steer a YaCy peer
-        if ( (getConfigBool("adminAccountForLocalhost", false)) ) {
+        if ( !getConfigBool("adminAccountForLocalhost", false) ) {
             if ( getConfig(SwitchboardConstants.ADMIN_ACCOUNT_B64MD5, "").startsWith("0000") ) {
                 // the password was set automatically with a random value.
                 // We must remove that here to prevent that a user cannot log in any more
@@ -3449,4 +3449,4 @@ public final class Switchboard extends serverSwitch
         this.shutdownSync.acquire();
         return this.terminate;
     }
-}
+}