Permalink
Browse files

Enforced access controls on a few more administration pages.

 - ensure use of HTTP POST method when performing server side effect
operations
 - transaction token required to ensure the request has effectively been
requested by user interaction
  • Loading branch information...
luccioman committed Apr 3, 2017
1 parent 0feded2 commit 665d087d768bd5ae182e2e114403ad0bfe295ec2
@@ -16,6 +16,7 @@ <h2>Integration of a Search Portal</h2>
To change also colours and styles use the <a href="ConfigAppearance_p.html">Appearance Servlet</a> for different skins and languages.
</p>
<form action="ConfigPortal_p.html" method="post" enctype="multipart/form-data" id="ConfigPortal" accept-charset="UTF-8">
<input type="hidden" name="transactionToken" value="#[transactionToken]#"/>
<fieldset>
<dl>
<dt>Greeting Line</dt>
@@ -35,6 +35,7 @@
import net.yacy.cora.document.id.DigestURL;
import net.yacy.cora.protocol.RequestHeader;
import net.yacy.cora.util.ConcurrentLog;
import net.yacy.data.TransactionManager;
import net.yacy.data.WorkTables;
import net.yacy.http.servlets.YaCyDefaultServlet;
import net.yacy.search.Switchboard;
@@ -50,6 +51,9 @@ public static serverObjects respond(final RequestHeader header, final serverObje
final Switchboard sb = (Switchboard) env;
if (post != null) {
/* Check this is a valid transaction */
TransactionManager.checkPostTransaction(header, post);
if (post.containsKey("popup")) {
final String popup = post.get("popup", "status");
if ("front".equals(popup)) {
@@ -154,6 +158,9 @@ public static serverObjects respond(final RequestHeader header, final serverObje
sb.setConfig("search.excludehosth", config.getProperty("search.excludehosth",""));
}
}
/* Acquire a transaction token for the next POST form submission */
prop.put(TransactionManager.TRANSACTION_TOKEN_PARAM, TransactionManager.getTransactionToken(header));
prop.putHTML(SwitchboardConstants.GREETING, sb.getConfig(SwitchboardConstants.GREETING, ""));
prop.putHTML(SwitchboardConstants.GREETING_HOMEPAGE, sb.getConfig(SwitchboardConstants.GREETING_HOMEPAGE, ""));
@@ -46,6 +46,7 @@ <h2>Process Scheduler</h2>
#(showtable)#::
<form action="Table_API_p.html" method="post" enctype="multipart/form-data" accept-charset="UTF-8" id="apilist">
<input type="hidden" name="transactionToken" value="#[transactionToken]#"/>
<fieldset>
<legend>Recorded Actions</legend>
<br />
@@ -35,6 +35,7 @@
import net.yacy.cora.protocol.Domains;
import net.yacy.cora.protocol.RequestHeader;
import net.yacy.cora.util.ConcurrentLog;
import net.yacy.data.TransactionManager;
import net.yacy.data.WorkTables;
import net.yacy.kelondro.blob.Tables;
import net.yacy.kelondro.blob.Tables.Row;
@@ -46,10 +47,10 @@
public class Table_API_p {
public static serverObjects respond(@SuppressWarnings("unused") final RequestHeader header, final serverObjects post, final serverSwitch env) {
public static serverObjects respond(final RequestHeader header, final serverObjects post, final serverSwitch env) {
final Switchboard sb = (Switchboard) env;
final serverObjects prop = new serverObjects();
prop.put("showexec", 0);
prop.put("showtable", 0);
@@ -85,6 +86,10 @@ public static serverObjects respond(@SuppressWarnings("unused") final RequestHea
current_pk = post.get("current_pk", "");
}
if (post != null && scheduleeventaction && !current_pk.isEmpty()) {
/* Check this is a valid transaction */
TransactionManager.checkPostTransaction(header, post);
try {
Tables.Row row = sb.tables.select(WorkTables.TABLE_API_NAME, current_pk.getBytes());
if (row != null) {
@@ -150,6 +155,10 @@ public static serverObjects respond(@SuppressWarnings("unused") final RequestHea
}
if (post != null && !post.get("deleterows", "").isEmpty()) {
/* Check this is a valid transaction */
TransactionManager.checkPostTransaction(header, post);
for (final Map.Entry<String, String> entry : post.entrySet()) {
if (entry.getValue().startsWith("mark_")) {
try {
@@ -162,6 +171,10 @@ public static serverObjects respond(@SuppressWarnings("unused") final RequestHea
}
if (post != null && !post.get("deleteold", "").isEmpty()) {
/* Check this is a valid transaction */
TransactionManager.checkPostTransaction(header, post);
int days = post.getInt("deleteoldtime", 365);
try {
Iterator<Row> ri = sb.tables.iterator(WorkTables.TABLE_API_NAME);
@@ -199,6 +212,10 @@ public static serverObjects respond(@SuppressWarnings("unused") final RequestHea
}
if (post != null && !post.get("execrows", "").isEmpty()) {
/* Check this is a valid transaction */
TransactionManager.checkPostTransaction(header, post);
// create a time-ordered list of events to execute
final Set<String> pks = new TreeSet<String>();
for (final Map.Entry<String, String> entry : post.entrySet()) {
@@ -234,6 +251,11 @@ public static serverObjects respond(@SuppressWarnings("unused") final RequestHea
// generate table
prop.put("showtable", 1);
prop.put("showtable_inline", inline ? 1 : 0);
/* Acquire a transaction token for the next POST form submission */
final String nextTransactionToken = TransactionManager.getTransactionToken(header);
prop.put(TransactionManager.TRANSACTION_TOKEN_PARAM, nextTransactionToken);
prop.put("showtable_" + TransactionManager.TRANSACTION_TOKEN_PARAM, nextTransactionToken);
// insert rows
final List<Tables.Row> table = new ArrayList<Tables.Row>(maximumRecords);
@@ -13,6 +13,7 @@ <h2>Translation Editor</h2>
<p>Translate untranslated text of the user interface (current language). The modified translation file is stored in DATA/LOCALE directory.</p>
<form id="Translation" method="post" action="Translator_p.html" enctype="multipart/form-data" accept-charset="UTF-8">
<input type="hidden" name="transactionToken" value="#[transactionToken]#"/>
<fieldset>
<legend>
<label>UI Translation</label>
@@ -24,6 +24,7 @@
import java.util.Map;
import net.yacy.cora.protocol.RequestHeader;
import net.yacy.cora.util.ConcurrentLog;
import net.yacy.data.TransactionManager;
import net.yacy.search.Switchboard;
import net.yacy.search.SwitchboardConstants;
import net.yacy.server.serverObjects;
@@ -33,7 +34,7 @@
public class Translator_p {
public static servletProperties respond(@SuppressWarnings("unused") final RequestHeader requestHeader, @SuppressWarnings("unused") final serverObjects post, @SuppressWarnings("unused") final serverSwitch env) {
public static servletProperties respond(final RequestHeader requestHeader, final serverObjects post, final serverSwitch env) {
try {
final servletProperties prop = new servletProperties();
final Switchboard sb = (Switchboard) env;
@@ -112,6 +113,9 @@ public static servletProperties respond(@SuppressWarnings("unused") final Reques
}
// handle (modified) input text
if (i == textlistid && post != null) {
/* Check this is a valid transaction */
TransactionManager.checkPostTransaction(requestHeader, post);
if (editapproved) { // switch already translated in edit mode by copying to local translation
// not saved here as not yet modified/approved
localTransMgr.addTranslation(localTrans, filename, sourcetext, targettxt);
@@ -138,6 +142,9 @@ public static servletProperties respond(@SuppressWarnings("unused") final Reques
changed = true;
}
if (changed) {
/* Check this is a valid transaction */
TransactionManager.checkPostTransaction(requestHeader, post);
localTransMgr.saveAsLngFile(langcfg, locallngfile, localTrans);
// adhoc translate this file
// 1. get/calc the path
@@ -150,6 +157,10 @@ public static servletProperties respond(@SuppressWarnings("unused") final Reques
localTransMgr.translateFile(sourceFile, destFile, origTextList); // do the translation
}
}
/* Acquire a transaction token for the next POST form submission */
prop.put(TransactionManager.TRANSACTION_TOKEN_PARAM, TransactionManager.getTransactionToken(requestHeader));
prop.put("textlist", i);
return prop;
} catch (IOException ex) {

0 comments on commit 665d087

Please sign in to comment.