boxtec
/
yacy_search_server
mirror of https://github.com/yacy/yacy_search_server
4
1
Fork 0
Code Issues Projects Releases Wiki Activity

*) better errorhandling in filehandler (try catch block now starts before argument parsing)

Browse Source 
git-svn-id: https://svn.berlios.de/svnroot/repos/yacy/trunk@2704 6c8d7289-2bf4-0310-a012-ef5d649a1542
pull/1/head
theli 19 years ago
parent 1d4fb680ce
commit ce7ee74316
1 changed files with 127 additions and 125 deletions
Show Stats Download Patch File Download Diff File

252
source/de/anomic/http/httpdFileHandler.java
Unescape View File

@ -296,146 +296,148 @@ public final class httpdFileHandler extends httpdAbstractHandler implements http
this.connectionProperties = conProp; this.connectionProperties = conProp;
// getting some connection properties String path = null;
String method = conProp.getProperty(httpHeader.CONNECTION_PROP_METHOD);
String path = conProp.getProperty(httpHeader.CONNECTION_PROP_PATH);
String argsString = conProp.getProperty(httpHeader.CONNECTION_PROP_ARGS); // is null if no args were given
String httpVersion= conProp.getProperty(httpHeader.CONNECTION_PROP_HTTP_VER);
// check hack attacks in path
if (path.indexOf("..") >= 0) {
httpd.sendRespondError(conProp,out,4,403,null,"Access not allowed",null);
return;
}
// url decoding of path
try { try {
path = URLDecoder.decode(path, "UTF-8"); // getting some connection properties
} catch (UnsupportedEncodingException e) { String method = conProp.getProperty(httpHeader.CONNECTION_PROP_METHOD);
// This should never occur path = conProp.getProperty(httpHeader.CONNECTION_PROP_PATH);
assert(false) : "UnsupportedEncodingException: " + e.getMessage(); String argsString = conProp.getProperty(httpHeader.CONNECTION_PROP_ARGS); // is null if no args were given
} String httpVersion= conProp.getProperty(httpHeader.CONNECTION_PROP_HTTP_VER);
// check permission/granted access // check hack attacks in path
String authorization = (String) requestHeader.get(httpHeader.AUTHORIZATION); if (path.indexOf("..") >= 0) {
String adminAccountBase64MD5 = switchboard.getConfig("adminAccountBase64MD5", ""); httpd.sendRespondError(conProp,out,4,403,null,"Access not allowed",null);
int pos = path.lastIndexOf(".");
if ((path.substring(0,(pos==-1)?path.length():pos)).endsWith("_p") && (adminAccountBase64MD5.length() != 0)) {
//authentication required
//userDB
if(sb.userDB.hasAdminRight(authorization, conProp.getProperty("CLIENTIP"), requestHeader.getHeaderCookies())){
//Authentication successful. remove brute-force flag
serverCore.bfHost.remove(conProp.getProperty("CLIENTIP"));
//static
}else if(authorization != null && sb.staticAdminAuthenticated(authorization.trim().substring(6))==4){
//Authentication successful. remove brute-force flag
serverCore.bfHost.remove(conProp.getProperty("CLIENTIP"));
//no auth
}else if (authorization == null) {
// no authorization given in response. Ask for that
httpHeader headers = getDefaultHeaders(path);
headers.put(httpHeader.WWW_AUTHENTICATE,"Basic realm=\"admin log-in\"");
//httpd.sendRespondHeader(conProp,out,httpVersion,401,headers);
serverObjects tp=new serverObjects();
tp.put("returnto", path);
//TODO: separate errorpage Wrong Login / No Login
httpd.sendRespondError(conProp, out, 5, 401, "Wrong Authentication", "", new File("proxymsg/authfail.inc"), tp, null, headers);
return;
} else {
// a wrong authentication was given or the userDB user does not have admin access. Ask again
String clientIP = conProp.getProperty("CLIENTIP", "unknown-host");
serverLog.logInfo("HTTPD", "Wrong log-in for account 'admin' in http file handler for path '" + path + "' from host '" + clientIP + "'");
Integer attempts = (Integer) serverCore.bfHost.get(clientIP);
if (attempts == null)
serverCore.bfHost.put(clientIP, new Integer(1));
else
serverCore.bfHost.put(clientIP, new Integer(attempts.intValue() + 1));
httpHeader headers = getDefaultHeaders(path);
headers.put(httpHeader.WWW_AUTHENTICATE,"Basic realm=\"admin log-in\"");
httpd.sendRespondHeader(conProp,out,httpVersion,401,headers);
return; return;
} }
}
// url decoding of path
try {
path = URLDecoder.decode(path, "UTF-8");
} catch (UnsupportedEncodingException e) {
// This should never occur
assert(false) : "UnsupportedEncodingException: " + e.getMessage();
}
// check permission/granted access
String authorization = (String) requestHeader.get(httpHeader.AUTHORIZATION);
String adminAccountBase64MD5 = switchboard.getConfig("adminAccountBase64MD5", "");
int pos = path.lastIndexOf(".");
if ((path.substring(0,(pos==-1)?path.length():pos)).endsWith("_p") && (adminAccountBase64MD5.length() != 0)) {
//authentication required
//userDB
if(sb.userDB.hasAdminRight(authorization, conProp.getProperty("CLIENTIP"), requestHeader.getHeaderCookies())){
//Authentication successful. remove brute-force flag
serverCore.bfHost.remove(conProp.getProperty("CLIENTIP"));
//static
}else if(authorization != null && sb.staticAdminAuthenticated(authorization.trim().substring(6))==4){
//Authentication successful. remove brute-force flag
serverCore.bfHost.remove(conProp.getProperty("CLIENTIP"));
//no auth
}else if (authorization == null) {
// no authorization given in response. Ask for that
httpHeader headers = getDefaultHeaders(path);
headers.put(httpHeader.WWW_AUTHENTICATE,"Basic realm=\"admin log-in\"");
//httpd.sendRespondHeader(conProp,out,httpVersion,401,headers);
serverObjects tp=new serverObjects();
tp.put("returnto", path);
//TODO: separate errorpage Wrong Login / No Login
httpd.sendRespondError(conProp, out, 5, 401, "Wrong Authentication", "", new File("proxymsg/authfail.inc"), tp, null, headers);
return;
} else {
// a wrong authentication was given or the userDB user does not have admin access. Ask again
String clientIP = conProp.getProperty("CLIENTIP", "unknown-host");
serverLog.logInfo("HTTPD", "Wrong log-in for account 'admin' in http file handler for path '" + path + "' from host '" + clientIP + "'");
Integer attempts = (Integer) serverCore.bfHost.get(clientIP);
if (attempts == null)
serverCore.bfHost.put(clientIP, new Integer(1));
else
serverCore.bfHost.put(clientIP, new Integer(attempts.intValue() + 1));
httpHeader headers = getDefaultHeaders(path);
headers.put(httpHeader.WWW_AUTHENTICATE,"Basic realm=\"admin log-in\"");
httpd.sendRespondHeader(conProp,out,httpVersion,401,headers);
return;
}
}
// parse arguments // parse arguments
serverObjects args = new serverObjects(); serverObjects args = new serverObjects();
int argc; int argc;
if (argsString == null) { if (argsString == null) {
// no args here, maybe a POST with multipart extension // no args here, maybe a POST with multipart extension
int length = 0; int length = 0;
//System.out.println("HEADER: " + requestHeader.toString()); // DEBUG //System.out.println("HEADER: " + requestHeader.toString()); // DEBUG
if (method.equals(httpHeader.METHOD_POST)) { if (method.equals(httpHeader.METHOD_POST)) {
GZIPInputStream gzipBody = null; GZIPInputStream gzipBody = null;
if (requestHeader.containsKey(httpHeader.CONTENT_LENGTH)) { if (requestHeader.containsKey(httpHeader.CONTENT_LENGTH)) {
length = Integer.parseInt((String) requestHeader.get(httpHeader.CONTENT_LENGTH)); length = Integer.parseInt((String) requestHeader.get(httpHeader.CONTENT_LENGTH));
} else if (requestHeader.gzip()) { } else if (requestHeader.gzip()) {
length = -1; length = -1;
gzipBody = new GZIPInputStream(body); gzipBody = new GZIPInputStream(body);
} }
// } else { // } else {
// httpd.sendRespondError(conProp,out,4,403,null,"bad post values",null); // httpd.sendRespondError(conProp,out,4,403,null,"bad post values",null);
// return; // return;
// } // }
// if its a POST, it can be either multipart or as args in the body // if its a POST, it can be either multipart or as args in the body
if ((requestHeader.containsKey(httpHeader.CONTENT_TYPE)) && if ((requestHeader.containsKey(httpHeader.CONTENT_TYPE)) &&
(((String) requestHeader.get(httpHeader.CONTENT_TYPE)).toLowerCase().startsWith("multipart"))) { (((String) requestHeader.get(httpHeader.CONTENT_TYPE)).toLowerCase().startsWith("multipart"))) {
// parse multipart // parse multipart
HashMap files = httpd.parseMultipart(requestHeader, args, (gzipBody!=null)?gzipBody:body, length); HashMap files = httpd.parseMultipart(requestHeader, args, (gzipBody!=null)?gzipBody:body, length);
// integrate these files into the args // integrate these files into the args
if (files != null) { if (files != null) {
Iterator fit = files.entrySet().iterator(); Iterator fit = files.entrySet().iterator();
Map.Entry entry; Map.Entry entry;
while (fit.hasNext()) { while (fit.hasNext()) {
entry = (Map.Entry) fit.next(); entry = (Map.Entry) fit.next();
args.put(((String) entry.getKey()) + "$file", entry.getValue()); args.put(((String) entry.getKey()) + "$file", entry.getValue());
}
} }
argc = Integer.parseInt((String) requestHeader.get("ARGC"));
} else {
// parse args in body
argc = httpd.parseArgs(args, (gzipBody!=null)?gzipBody:body, length);
} }
argc = Integer.parseInt((String) requestHeader.get("ARGC"));
} else { } else {
// parse args in body // no args
argc = httpd.parseArgs(args, (gzipBody!=null)?gzipBody:body, length); argsString = null;
args = null;
argc = 0;
} }
} else { } else {
// no args // simple args in URL (stuff after the "?")
argsString = null; argc = httpd.parseArgs(args, argsString);
args = null;
argc = 0;
} }
} else {
// simple args in URL (stuff after the "?")
argc = httpd.parseArgs(args, argsString);
}
// check for cross site scripting - attacks in request arguments // check for cross site scripting - attacks in request arguments
if (argc > 0) { if (argc > 0) {
// check all values for occurrences of script values // check all values for occurrences of script values
Enumeration e = args.elements(); // enumeration of values Enumeration e = args.elements(); // enumeration of values
Object val; Object val;
while (e.hasMoreElements()) { while (e.hasMoreElements()) {
val = e.nextElement(); val = e.nextElement();
if ((val != null) && (val instanceof String) && (((String) val).indexOf("<script") >= 0)) { if ((val != null) && (val instanceof String) && (((String) val).indexOf("<script") >= 0)) {
// deny request // deny request
httpd.sendRespondError(conProp,out,4,403,null,"bad post values",null); httpd.sendRespondError(conProp,out,4,403,null,"bad post values",null);
return; return;
}
} }
} }
}
// we are finished with parsing // we are finished with parsing
// the result of value hand-over is in args and argc // the result of value hand-over is in args and argc
if (path.length() == 0) { if (path.length() == 0) {
httpd.sendRespondError(conProp,out,4,400,null,"Bad Request",null); httpd.sendRespondError(conProp,out,4,400,null,"Bad Request",null);
out.flush(); out.flush();
return; return;
} }
File targetClass=null; File targetClass=null;
try {
// locate the file // locate the file
if (!(path.startsWith("/"))) path = "/" + path; // attach leading slash if (!(path.startsWith("/"))) path = "/" + path; // attach leading slash
File targetFile = getLocalizedFile(path); File targetFile = getLocalizedFile(path);

Write Preview
Loading…
Cancel
Save