boxtec
/
yacy_search_server
mirror of https://github.com/yacy/yacy_search_server
4
1
Fork 0
Code Issues Projects Releases Wiki Activity

* adminAccountForLocalhost only for localhost

Browse Source 
* yacy crawls local domains also, if no password is set (the interface is already protected)
* it's not required anymore, to set a password in intranet mode

git-svn-id: https://svn.berlios.de/svnroot/repos/yacy/trunk@7436 6c8d7289-2bf4-0310-a012-ef5d649a1542
pull/1/head
f1ori 14 years ago
parent c9cd03b532
commit a321c7673d
9 changed files with 39 additions and 49 deletions
Show Stats Download Patch File Download Diff File

1
htroot/ConfigAccounts_p.html
Unescape View File

@ -24,7 +24,6 @@
:: ::
<p class="error">Username too short. Username must be >= 4 Characters.</p> <p class="error">Username too short. Username must be >= 4 Characters.</p>
#(/error)# #(/error)#
#(commitIntranetWarning)#::<div class="error">With an intranet indexing configuration it is not allowed to authentify automatically from localhost!</div>#(/commitIntranetWarning)#
#(passwordNotSetWarning)#::<div class="error">No password is set for the administration account. Please define a password for the admin account.</div>#(/passwordNotSetWarning)# #(passwordNotSetWarning)#::<div class="error">No password is set for the administration account. Please define a password for the admin account.</div>#(/passwordNotSetWarning)#
<fieldset><legend>Admin Account</legend> <fieldset><legend>Admin Account</legend>

24
htroot/ConfigAccounts_p.java
Unescape View File

@ -68,21 +68,15 @@ public class ConfigAccounts_p {
} }
if (localhostAccess) { if (localhostAccess) {
if (sb.crawlStacker.acceptLocalURLs()) {
// in this case it is not allowed to use a localhostAccess option sb.setConfig("adminAccountForLocalhost", true);
prop.put("commitIntranetWarning", 1); // if an localhost access is configured, check if a local password is given
localhostAccess = false; // if not, set a random password
sb.setConfig("adminAccountForLocalhost", false); if (env.getConfig(HTTPDemon.ADMIN_ACCOUNT_B64MD5, "").length() == 0) {
} else { // make a 'random' password
sb.setConfig("adminAccountForLocalhost", true); env.setConfig(HTTPDemon.ADMIN_ACCOUNT_B64MD5, "0000" + sb.genRandomPassword());
// if an localhost access is configured, check if a local password is given env.setConfig("adminAccount", "");
// if not, set a random password }
if (env.getConfig(HTTPDemon.ADMIN_ACCOUNT_B64MD5, "").length() == 0) {
// make a 'random' password
env.setConfig(HTTPDemon.ADMIN_ACCOUNT_B64MD5, "0000" + Digest.encodeMD5Hex(System.getProperties().toString() + System.currentTimeMillis()));
env.setConfig("adminAccount", "");
}
}
} else { } else {
sb.setConfig("adminAccountForLocalhost", false); sb.setConfig("adminAccountForLocalhost", false);
if (env.getConfig(HTTPDemon.ADMIN_ACCOUNT_B64MD5, "").startsWith("0000")) { if (env.getConfig(HTTPDemon.ADMIN_ACCOUNT_B64MD5, "").startsWith("0000")) {

1
htroot/ConfigNetwork_p.html
Unescape View File

@ -47,7 +47,6 @@
#(commitDHTIsRobinson)#::<div class="error">For P2P operation, at least DHT distribution or DHT receive (or both) must be set. You have thus defined a Robinson configuration.</div>#(/commitDHTIsRobinson)# #(commitDHTIsRobinson)#::<div class="error">For P2P operation, at least DHT distribution or DHT receive (or both) must be set. You have thus defined a Robinson configuration.</div>#(/commitDHTIsRobinson)#
#(commitDHTNoGlobalSearch)#::<div class="error">Global Search in P2P configuration is only allowed, if index receive is switched on. You have a P2P configuration, but are not allowed to search other peers.</div>#(/commitDHTNoGlobalSearch)# #(commitDHTNoGlobalSearch)#::<div class="error">Global Search in P2P configuration is only allowed, if index receive is switched on. You have a P2P configuration, but are not allowed to search other peers.</div>#(/commitDHTNoGlobalSearch)#
#(commitRobinson)#::<div class="commit">For Robinson Mode, index distribution and receive is switched off.</div>#(/commitRobinson)# #(commitRobinson)#::<div class="commit">For Robinson Mode, index distribution and receive is switched off.</div>#(/commitRobinson)#
#(commitPasswordWarning)#::<div class="error">With this configuration it is not allowed to authentify automatically from localhost! Please open the <a href="ConfigAccounts_p.html">Account Configuration</a> and set a new password.</div>#(/commitPasswordWarning)#
<form id="NetworkForm" method="post" action="ConfigNetwork_p.html" enctype="multipart/form-data" accept-charset="UTF-8"> <form id="NetworkForm" method="post" action="ConfigNetwork_p.html" enctype="multipart/form-data" accept-charset="UTF-8">
<fieldset> <fieldset>
<legend> <legend>

5
htroot/ConfigNetwork_p.java
Unescape View File

@ -35,7 +35,6 @@ import net.yacy.kelondro.util.FileUtils;
import net.yacy.kelondro.util.MapTools; import net.yacy.kelondro.util.MapTools;
import de.anomic.data.WorkTables; import de.anomic.data.WorkTables;
import de.anomic.http.server.HTTPDemon;
import de.anomic.search.Switchboard; import de.anomic.search.Switchboard;
import de.anomic.search.SwitchboardConstants; import de.anomic.search.SwitchboardConstants;
import de.anomic.server.serverObjects; import de.anomic.server.serverObjects;
@ -67,10 +66,6 @@ public class ConfigNetwork_p {
// shut down old network and index, start up new network and index // shut down old network and index, start up new network and index
commit = 1; commit = 1;
sb.switchNetwork(networkDefinition); sb.switchNetwork(networkDefinition);
// check if the password is given
if (sb.getConfig(HTTPDemon.ADMIN_ACCOUNT_B64MD5, "").length() == 0) {
prop.put("commitPasswordWarning", "1");
}
} }
} }

2
source/de/anomic/http/server/HTTPDFileHandler.java
Unescape View File

@ -293,7 +293,7 @@ public final class HTTPDFileHandler {
final boolean adminAccountForLocalhost = sb.getConfigBool("adminAccountForLocalhost", false); final boolean adminAccountForLocalhost = sb.getConfigBool("adminAccountForLocalhost", false);
final String refererHost = requestHeader.refererHost(); final String refererHost = requestHeader.refererHost();
boolean accessFromLocalhost = Domains.isLocal(clientIP) && (refererHost == null || refererHost.length() == 0 || Domains.isLocal(refererHost)); boolean accessFromLocalhost = Domains.isLocalhost(clientIP) && (refererHost == null || refererHost.length() == 0 || Domains.isLocalhost(refererHost));
final boolean grantedForLocalhost = adminAccountForLocalhost && accessFromLocalhost; final boolean grantedForLocalhost = adminAccountForLocalhost && accessFromLocalhost;
final boolean protectedPage = path.indexOf("_p.") > 0; final boolean protectedPage = path.indexOf("_p.") > 0;
final boolean accountEmpty = adminAccountBase64MD5.length() == 0; final boolean accountEmpty = adminAccountBase64MD5.length() == 0;

28
source/de/anomic/search/Switchboard.java
Unescape View File

@ -103,7 +103,6 @@ import net.yacy.kelondro.index.HandleSet;
import net.yacy.kelondro.index.RowSpaceExceededException; import net.yacy.kelondro.index.RowSpaceExceededException;
import net.yacy.kelondro.logging.Log; import net.yacy.kelondro.logging.Log;
import net.yacy.kelondro.order.Base64Order; import net.yacy.kelondro.order.Base64Order;
import net.yacy.kelondro.order.Digest;
import net.yacy.kelondro.order.NaturalOrder; import net.yacy.kelondro.order.NaturalOrder;
import net.yacy.kelondro.util.EventTracker; import net.yacy.kelondro.util.EventTracker;
import net.yacy.kelondro.util.FileUtils; import net.yacy.kelondro.util.FileUtils;
@ -552,8 +551,7 @@ public final class Switchboard extends serverSwitch {
// that an automatic authorization of localhost is done, because in this case crawls from local // that an automatic authorization of localhost is done, because in this case crawls from local
// addresses are blocked to prevent attack szenarios where remote pages contain links to localhost // addresses are blocked to prevent attack szenarios where remote pages contain links to localhost
// addresses that can steer a YaCy peer // addresses that can steer a YaCy peer
if ((crawlStacker.acceptLocalURLs()) && (getConfigBool("adminAccountForLocalhost", false))) { if ((getConfigBool("adminAccountForLocalhost", false))) {
setConfig("adminAccountForLocalhost", false);
if (getConfig(HTTPDemon.ADMIN_ACCOUNT_B64MD5, "").startsWith("0000")) { if (getConfig(HTTPDemon.ADMIN_ACCOUNT_B64MD5, "").startsWith("0000")) {
// the password was set automatically with a random value. // the password was set automatically with a random value.
// We must remove that here to prevent that a user cannot log in any more // We must remove that here to prevent that a user cannot log in any more
@ -921,20 +919,6 @@ public final class Switchboard extends serverSwitch {
continueCrawlJob(SwitchboardConstants.CRAWLJOB_REMOTE_TRIGGERED_CRAWL); continueCrawlJob(SwitchboardConstants.CRAWLJOB_REMOTE_TRIGGERED_CRAWL);
log.logInfo("SWITCH NETWORK: FINISHED START UP, new network is now '" + networkDefinition + "'."); log.logInfo("SWITCH NETWORK: FINISHED START UP, new network is now '" + networkDefinition + "'.");
// check status of account configuration: when local url crawling is allowed, it is not allowed
// that an automatic authorization of localhost is done, because in this case crawls from local
// addresses are blocked to prevent attack szenarios where remote pages contain links to localhost
// addresses that can steer a YaCy peer
if ((crawlStacker.acceptLocalURLs()) && (getConfigBool("adminAccountForLocalhost", false))) {
setConfig("adminAccountForLocalhost", false);
if (getConfig(HTTPDemon.ADMIN_ACCOUNT_B64MD5, "").startsWith("0000")) {
// the password was set automatically with a random value.
// We must remove that here to prevent that a user cannot log in any more
setConfig(HTTPDemon.ADMIN_ACCOUNT_B64MD5, "");
// after this a message must be generated to alert the user to set a new password
log.logInfo("RANDOM PASSWORD REMOVED! User must set a new password");
}
}
// set the network-specific remote crawl ppm // set the network-specific remote crawl ppm
setRemotecrawlPPM(Math.max(1, (int) getConfigLong("network.unit.remotecrawl.speed", 60))); setRemotecrawlPPM(Math.max(1, (int) getConfigLong("network.unit.remotecrawl.speed", 60)));
} }
@ -1461,9 +1445,9 @@ public final class Switchboard extends serverSwitch {
} }
// set a random password if no password is configured // set a random password if no password is configured
if (!crawlStacker.acceptLocalURLs() && getConfigBool("adminAccountForLocalhost", false) && getConfig(HTTPDemon.ADMIN_ACCOUNT_B64MD5, "").length() == 0) { if (getConfigBool("adminAccountForLocalhost", false) && getConfig(HTTPDemon.ADMIN_ACCOUNT_B64MD5, "").length() == 0) {
// make a 'random' password // make a 'random' password
setConfig(HTTPDemon.ADMIN_ACCOUNT_B64MD5, "0000" + Digest.encodeMD5Hex(System.getProperties().toString() + System.currentTimeMillis())); setConfig(HTTPDemon.ADMIN_ACCOUNT_B64MD5, "0000" + this.genRandomPassword());
setConfig("adminAccount", ""); setConfig("adminAccount", "");
} }
@ -2076,9 +2060,9 @@ public final class Switchboard extends serverSwitch {
// authorization for localhost, only if flag is set to grant localhost access as admin // authorization for localhost, only if flag is set to grant localhost access as admin
final String clientIP = requestHeader.get(HeaderFramework.CONNECTION_PROP_CLIENTIP, ""); final String clientIP = requestHeader.get(HeaderFramework.CONNECTION_PROP_CLIENTIP, "");
if (!Domains.isLocal(clientIP)) return false; if (!Domains.isLocalhost(clientIP)) return false;
final String refererHost = requestHeader.refererHost(); final String refererHost = requestHeader.refererHost();
return refererHost == null || refererHost.length() == 0 || Domains.isLocal(refererHost); return refererHost == null || refererHost.length() == 0 || Domains.isLocalhost(refererHost);
} }
public int adminAuthenticated(final RequestHeader requestHeader) { public int adminAuthenticated(final RequestHeader requestHeader) {
@ -2091,7 +2075,7 @@ public final class Switchboard extends serverSwitch {
final String authorization = (requestHeader.get(RequestHeader.AUTHORIZATION, "xxxxxx")).trim().substring(6); final String authorization = (requestHeader.get(RequestHeader.AUTHORIZATION, "xxxxxx")).trim().substring(6);
// security check against too long authorization strings // security check against too long authorization strings
if (authorization.length() > 256) return 0; if (authorization.length() > 256) return 0;
// authorization by encoded password, only for localhost access // authorization by encoded password, only for localhost access
final String adminAccountBase64MD5 = getConfig(HTTPDemon.ADMIN_ACCOUNT_B64MD5, ""); final String adminAccountBase64MD5 = getConfig(HTTPDemon.ADMIN_ACCOUNT_B64MD5, "");

16
source/de/anomic/server/serverSwitch.java
Unescape View File

@ -35,6 +35,7 @@ import java.util.ArrayList;
import java.util.Collection; import java.util.Collection;
import java.util.Iterator; import java.util.Iterator;
import java.util.Map; import java.util.Map;
import java.util.Random;
import java.util.TreeMap; import java.util.TreeMap;
import java.util.concurrent.ConcurrentHashMap; import java.util.concurrent.ConcurrentHashMap;
@ -44,6 +45,7 @@ import net.yacy.cora.protocol.HeaderFramework;
import net.yacy.cora.protocol.RequestHeader; import net.yacy.cora.protocol.RequestHeader;
import net.yacy.cora.protocol.http.HTTPClient; import net.yacy.cora.protocol.http.HTTPClient;
import net.yacy.kelondro.logging.Log; import net.yacy.kelondro.logging.Log;
import net.yacy.kelondro.order.Digest;
import net.yacy.kelondro.util.FileUtils; import net.yacy.kelondro.util.FileUtils;
import net.yacy.kelondro.workflow.BusyThread; import net.yacy.kelondro.workflow.BusyThread;
import net.yacy.kelondro.workflow.WorkflowThread; import net.yacy.kelondro.workflow.WorkflowThread;
@ -611,4 +613,18 @@ public class serverSwitch {
} }
} }
private static Random pwGenerator = new Random();
/**
* generates a random password
*/
public String genRandomPassword() {
return genRandomPassword(20);
}
public String genRandomPassword(int length) {
byte[] bytes = new byte[length];
pwGenerator.nextBytes(bytes);
return Digest.encodeMD5Hex(bytes);
}
} }

7
source/net/yacy/cora/protocol/Domains.java
Unescape View File

@ -742,6 +742,13 @@ public class Domains {
if (i == null) return TLD_Generic_ID; if (i == null) return TLD_Generic_ID;
return i.intValue(); return i.intValue();
} }
public static boolean isLocalhost(final String host) {
if (host.equals("127.0.0.1")) return true;
if (host.equals("localhost")) return true;
if (host.startsWith("0:0:0:0:0:0:0:1")) return true;
return false;
}
public static boolean isLocal(final String host) { public static boolean isLocal(final String host) {
return isLocal(host, true); return isLocal(host, true);

4
source/net/yacy/repository/LoaderDispatcher.java
Unescape View File

@ -184,10 +184,6 @@ public final class LoaderDispatcher {
final String protocol = url.getProtocol(); final String protocol = url.getProtocol();
final String host = url.getHost(); final String host = url.getHost();
// check if this loads a page from localhost, which must be prevented to protect the server
// against attacks to the administration interface when localhost access is granted
if (url.isLocal() && sb.getConfigBool("adminAccountForLocalhost", false)) throw new IOException("access to localhost not granted for url " + url);
// check if we have the page in the cache // check if we have the page in the cache
final Map<String, String> mp = sb.crawler.profilesActiveCrawls.get(request.profileHandle().getBytes()); final Map<String, String> mp = sb.crawler.profilesActiveCrawls.get(request.profileHandle().getBytes());
CrawlProfile crawlProfile = mp == null ? null : new CrawlProfile(mp); CrawlProfile crawlProfile = mp == null ? null : new CrawlProfile(mp);

Write Preview
Loading…
Cancel
Save