fix for attacks on localhost-authorized peers from web pages with links to localhost addresses:

checking of referer in access git-svn-id: https://svn.berlios.de/svnroot/repos/yacy/trunk@4828 6c8d7289-2bf4-0310-a012-ef5d649a1542
17 years ago · c1d721dd2d
parent 2ba6f4e92d
commit c1d721dd2d
7 changed files with 27 additions and 9 deletions
--- a/build.properties
+++ b/build.properties
@ -3,7 +3,7 @@ javacSource=1.5
 javacTarget=1.5

 # Release Configuration
-releaseVersion=0.584
+releaseVersion=0.585
 stdReleaseFile=yacy_v${releaseVersion}_${DSTAMP}_${releaseNr}.tar.gz
 embReleaseFile=yacy_emb_v${releaseVersion}_${DSTAMP}_${releaseNr}.tar.gz
 proReleaseFile=yacy_pro_v${releaseVersion}_${DSTAMP}_${releaseNr}.tar.gz
--- a/defaults/yacy.init
+++ b/defaults/yacy.init
@ -367,7 +367,7 @@ adminAccountBase64MD5=
 # if the admin account password is still empty after 10 minutes a random
 # password is generated an access is then ONLY from localhost, which will cause
 # inaccessibility for installations on headless servers.
-adminAccountForLocalhost=false
+adminAccountForLocalhost=true

 # if you are running a principal peer, you must update the following variables
 # The upload method that should be used to upload the seed-list file to
--- a/source/de/anomic/http/httpHeader.java
+++ b/source/de/anomic/http/httpHeader.java
@ -60,6 +60,7 @@ import java.io.FileOutputStream;
 import java.io.FileReader;
 import java.io.IOException;
 import java.net.MalformedURLException;
+import java.net.URL;
 import java.text.Collator;
 import java.util.Date;
 import java.util.HashMap;
@ -394,6 +395,17 @@ public final class httpHeader extends TreeMap<String, String> implements Map<Str
        return null;
    }
    
+    public String referer() {
+        return (String) get(httpHeader.REFERER, "");
+    }
+    
+    public String refererHost() {
+        String  refererHost = "";
+        String referer = referer();
+        if (referer.length() > 0) try { refererHost = (new URL(referer)).getHost(); } catch (MalformedURLException e) {}
+        return refererHost;
+    }
+    
    public String mime() {
        return (String) get(httpHeader.CONTENT_TYPE, "application/octet-stream");
    }
--- a/source/de/anomic/http/httpd.java
+++ b/source/de/anomic/http/httpd.java
@ -256,8 +256,7 @@ public final class httpd implements serverHandler {
    }
    
    /**
-     * This funciton is used to determine if a persistent connection was requested by the
-     * client.
+     * This function is used to determine if a persistent connection was requested by the client.
     * @param header the received http-headers
     * @return <code>true</code> if a persistent connection was requested or <code>false</code> otherwise
     */
@ -300,7 +299,7 @@ public final class httpd implements serverHandler {
        if (authorization == null) return 1;
        //if (authorization.length() < 6) return 1; // no authentication information given
        String adminAccountBase64MD5 = sw.getConfig(ADMIN_ACCOUNT_B64MD5, "");
-        if (adminAccountBase64MD5.length() == 0) return 2; // no passwrd stored
+        if (adminAccountBase64MD5.length() == 0) return 2; // no password stored
        if (adminAccountBase64MD5.equals(serverCodings.encodeMD5Hex(authorization))) return 4; // hard-authenticated, all ok
        return 1;
    }
--- a/source/de/anomic/http/httpdFileHandler.java
+++ b/source/de/anomic/http/httpdFileHandler.java
@ -304,7 +304,8 @@ public final class httpdFileHandler {
            int pos = path.lastIndexOf(".");
            
            boolean adminAccountForLocalhost = sb.getConfigBool("adminAccountForLocalhost", false);
-            boolean accessFromLocalhost = clientIP.equals("localhost") || clientIP.startsWith("0:0:0:0:0:0:0:1");
+            String refererHost = requestHeader.refererHost();
+            boolean accessFromLocalhost = serverCore.isLocalhost(clientIP) && (refererHost.length() == 0 || serverCore.isLocalhost(refererHost));
            boolean grantedForLocalhost = adminAccountForLocalhost && accessFromLocalhost;
            boolean protectedPage = (path.substring(0,(pos==-1)?path.length():pos)).endsWith("_p");
            boolean accountEmpty = adminAccountBase64MD5.length() == 0;
@ -640,6 +641,7 @@ public final class httpdFileHandler {
                                if (authorization != null) {
                                    serverLog.logInfo("HTTPD", "dynamic log-in for account 'admin' in http file handler for path '" + path + "' from host '" + clientIP + "'");
                                    Integer attempts = (Integer) serverCore.bfHost.get(clientIP);
+                                    if (attempts != null) try {Thread.sleep(1000 * attempts.intValue());} catch (InterruptedException e) {}
                                    if (attempts == null)
                                        serverCore.bfHost.put(clientIP, new Integer(1));
                                    else
--- a/source/de/anomic/plasma/plasmaSwitchboard.java
+++ b/source/de/anomic/plasma/plasmaSwitchboard.java
@ -149,6 +149,7 @@ import de.anomic.plasma.parser.ParserException;
 import de.anomic.server.serverAbstractSwitch;
 import de.anomic.server.serverBusyThread;
 import de.anomic.server.serverCodings;
+import de.anomic.server.serverCore;
 import de.anomic.server.serverDomains;
 import de.anomic.server.serverFileUtils;
 import de.anomic.server.serverInstantBusyThread;
@ -2264,7 +2265,8 @@ public final class plasmaSwitchboard extends serverAbstractSwitch<IndexingStack.
        
        // authorization for localhost, only if flag is set to grant localhost access as admin
        String clientIP = (String) header.get(httpHeader.CONNECTION_PROP_CLIENTIP, "");
-        boolean accessFromLocalhost = clientIP.equals("localhost") || clientIP.startsWith("0:0:0:0:0:0:0:1");
+        String refererHost = header.refererHost();
+        boolean accessFromLocalhost = serverCore.isLocalhost(clientIP) && (refererHost.length() == 0 || serverCore.isLocalhost(refererHost));
        if (getConfigBool("adminAccountForLocalhost", false) && accessFromLocalhost) return 3; // soft-authenticated for localhost
        
        // get the authorization string from the header
--- a/source/de/anomic/server/serverCore.java
+++ b/source/de/anomic/server/serverCore.java
@ -196,10 +196,13 @@ public final class serverCore extends serverAbstractBusyThread implements server
        InetAddress uAddr = s.getInetAddress();
        if (uAddr.isAnyLocalAddress()) return "localhost";
        String cIP = uAddr.getHostAddress();
-        if (cIP.startsWith("0:0:0:0:0:0:0:1")) cIP = "localhost";
-        if (cIP.equals("127.0.0.1")) cIP = "localhost";
+        if (isLocalhost(cIP)) cIP = "localhost";
        return cIP;
    }
+    
+    public static final boolean isLocalhost(String hostname) {
+        return hostname.equals("localhost") || hostname.equals("127.0.0.1") || hostname.startsWith("0:0:0:0:0:0:0:1");
+    }

    // class initializer
    public serverCore(