From c1d721dd2d3f58ffbf45fdbf3961646b40237d68 Mon Sep 17 00:00:00 2001 From: orbiter Date: Mon, 19 May 2008 22:17:53 +0000 Subject: [PATCH] fix for attacks on localhost-authorized peers from web pages with links to localhost addresses: checking of referer in access git-svn-id: https://svn.berlios.de/svnroot/repos/yacy/trunk@4828 6c8d7289-2bf4-0310-a012-ef5d649a1542 --- build.properties | 2 +- defaults/yacy.init | 2 +- source/de/anomic/http/httpHeader.java | 12 ++++++++++++ source/de/anomic/http/httpd.java | 5 ++--- source/de/anomic/http/httpdFileHandler.java | 4 +++- source/de/anomic/plasma/plasmaSwitchboard.java | 4 +++- source/de/anomic/server/serverCore.java | 7 +++++-- 7 files changed, 27 insertions(+), 9 deletions(-) diff --git a/build.properties b/build.properties index 3e6a8b20b..1278199c4 100644 --- a/build.properties +++ b/build.properties @@ -3,7 +3,7 @@ javacSource=1.5 javacTarget=1.5 # Release Configuration -releaseVersion=0.584 +releaseVersion=0.585 stdReleaseFile=yacy_v${releaseVersion}_${DSTAMP}_${releaseNr}.tar.gz embReleaseFile=yacy_emb_v${releaseVersion}_${DSTAMP}_${releaseNr}.tar.gz proReleaseFile=yacy_pro_v${releaseVersion}_${DSTAMP}_${releaseNr}.tar.gz diff --git a/defaults/yacy.init b/defaults/yacy.init index 2594b7072..ce9705462 100644 --- a/defaults/yacy.init +++ b/defaults/yacy.init @@ -367,7 +367,7 @@ adminAccountBase64MD5= # if the admin account password is still empty after 10 minutes a random # password is generated an access is then ONLY from localhost, which will cause # inaccessibility for installations on headless servers. -adminAccountForLocalhost=false +adminAccountForLocalhost=true # if you are running a principal peer, you must update the following variables # The upload method that should be used to upload the seed-list file to diff --git a/source/de/anomic/http/httpHeader.java b/source/de/anomic/http/httpHeader.java index 749358e31..2306ffcea 100644 --- a/source/de/anomic/http/httpHeader.java +++ b/source/de/anomic/http/httpHeader.java @@ -60,6 +60,7 @@ import java.io.FileOutputStream; import java.io.FileReader; import java.io.IOException; import java.net.MalformedURLException; +import java.net.URL; import java.text.Collator; import java.util.Date; import java.util.HashMap; @@ -394,6 +395,17 @@ public final class httpHeader extends TreeMap implements Map 0) try { refererHost = (new URL(referer)).getHost(); } catch (MalformedURLException e) {} + return refererHost; + } + public String mime() { return (String) get(httpHeader.CONTENT_TYPE, "application/octet-stream"); } diff --git a/source/de/anomic/http/httpd.java b/source/de/anomic/http/httpd.java index 3505141f1..718c92d0d 100644 --- a/source/de/anomic/http/httpd.java +++ b/source/de/anomic/http/httpd.java @@ -256,8 +256,7 @@ public final class httpd implements serverHandler { } /** - * This funciton is used to determine if a persistent connection was requested by the - * client. + * This function is used to determine if a persistent connection was requested by the client. * @param header the received http-headers * @return true if a persistent connection was requested or false otherwise */ @@ -300,7 +299,7 @@ public final class httpd implements serverHandler { if (authorization == null) return 1; //if (authorization.length() < 6) return 1; // no authentication information given String adminAccountBase64MD5 = sw.getConfig(ADMIN_ACCOUNT_B64MD5, ""); - if (adminAccountBase64MD5.length() == 0) return 2; // no passwrd stored + if (adminAccountBase64MD5.length() == 0) return 2; // no password stored if (adminAccountBase64MD5.equals(serverCodings.encodeMD5Hex(authorization))) return 4; // hard-authenticated, all ok return 1; } diff --git a/source/de/anomic/http/httpdFileHandler.java b/source/de/anomic/http/httpdFileHandler.java index fbf9ab350..b6fc58448 100644 --- a/source/de/anomic/http/httpdFileHandler.java +++ b/source/de/anomic/http/httpdFileHandler.java @@ -304,7 +304,8 @@ public final class httpdFileHandler { int pos = path.lastIndexOf("."); boolean adminAccountForLocalhost = sb.getConfigBool("adminAccountForLocalhost", false); - boolean accessFromLocalhost = clientIP.equals("localhost") || clientIP.startsWith("0:0:0:0:0:0:0:1"); + String refererHost = requestHeader.refererHost(); + boolean accessFromLocalhost = serverCore.isLocalhost(clientIP) && (refererHost.length() == 0 || serverCore.isLocalhost(refererHost)); boolean grantedForLocalhost = adminAccountForLocalhost && accessFromLocalhost; boolean protectedPage = (path.substring(0,(pos==-1)?path.length():pos)).endsWith("_p"); boolean accountEmpty = adminAccountBase64MD5.length() == 0; @@ -640,6 +641,7 @@ public final class httpdFileHandler { if (authorization != null) { serverLog.logInfo("HTTPD", "dynamic log-in for account 'admin' in http file handler for path '" + path + "' from host '" + clientIP + "'"); Integer attempts = (Integer) serverCore.bfHost.get(clientIP); + if (attempts != null) try {Thread.sleep(1000 * attempts.intValue());} catch (InterruptedException e) {} if (attempts == null) serverCore.bfHost.put(clientIP, new Integer(1)); else diff --git a/source/de/anomic/plasma/plasmaSwitchboard.java b/source/de/anomic/plasma/plasmaSwitchboard.java index abf2dcfd9..0504a3105 100644 --- a/source/de/anomic/plasma/plasmaSwitchboard.java +++ b/source/de/anomic/plasma/plasmaSwitchboard.java @@ -149,6 +149,7 @@ import de.anomic.plasma.parser.ParserException; import de.anomic.server.serverAbstractSwitch; import de.anomic.server.serverBusyThread; import de.anomic.server.serverCodings; +import de.anomic.server.serverCore; import de.anomic.server.serverDomains; import de.anomic.server.serverFileUtils; import de.anomic.server.serverInstantBusyThread; @@ -2264,7 +2265,8 @@ public final class plasmaSwitchboard extends serverAbstractSwitch