Enforced access controls on a few more administration pages.

- ensure use of HTTP POST method when performing server side effect operations - transaction token required to ensure the request has effectively been requested by user interaction
yacy · Apr 3, 2017 · 665d087 · 665d087
1 parent 0feded2
commit 665d087
Show file tree

Hide file tree

Showing 6 changed files with 46 additions and 3 deletions.
diff --git a/htroot/ConfigPortal_p.html b/htroot/ConfigPortal_p.html
@@ -16,6 +16,7 @@ <h2>Integration of a Search Portal</h2>
       To change also colours and styles use the <a href="ConfigAppearance_p.html">Appearance Servlet</a> for different skins and languages.
     </p>
     <form action="ConfigPortal_p.html" method="post" enctype="multipart/form-data" id="ConfigPortal" accept-charset="UTF-8">
+	  <input type="hidden" name="transactionToken" value="#[transactionToken]#"/>
       <fieldset>
         <dl>
           <dt>Greeting Line</dt>

diff --git a/htroot/ConfigPortal_p.java b/htroot/ConfigPortal_p.java
@@ -35,6 +35,7 @@
 import net.yacy.cora.document.id.DigestURL;
 import net.yacy.cora.protocol.RequestHeader;
 import net.yacy.cora.util.ConcurrentLog;
+import net.yacy.data.TransactionManager;
 import net.yacy.data.WorkTables;
 import net.yacy.http.servlets.YaCyDefaultServlet;
 import net.yacy.search.Switchboard;
@@ -50,6 +51,9 @@ public static serverObjects respond(final RequestHeader header, final serverObje
         final Switchboard sb = (Switchboard) env;
 
         if (post != null) {
+        	/* Check this is a valid transaction */
+        	TransactionManager.checkPostTransaction(header, post);
+
             if (post.containsKey("popup")) {
                 final String popup = post.get("popup", "status");
                 if ("front".equals(popup)) {
@@ -154,6 +158,9 @@ public static serverObjects respond(final RequestHeader header, final serverObje
                 sb.setConfig("search.excludehosth", config.getProperty("search.excludehosth",""));
             }
         }
+
+        /* Acquire a transaction token for the next POST form submission */
+        prop.put(TransactionManager.TRANSACTION_TOKEN_PARAM, TransactionManager.getTransactionToken(header));
 
         prop.putHTML(SwitchboardConstants.GREETING, sb.getConfig(SwitchboardConstants.GREETING, ""));
         prop.putHTML(SwitchboardConstants.GREETING_HOMEPAGE, sb.getConfig(SwitchboardConstants.GREETING_HOMEPAGE, ""));

diff --git a/htroot/Table_API_p.html b/htroot/Table_API_p.html
@@ -46,6 +46,7 @@ <h2>Process Scheduler</h2>
 
     #(showtable)#::	
     <form action="Table_API_p.html" method="post" enctype="multipart/form-data" accept-charset="UTF-8" id="apilist">
+	  <input type="hidden" name="transactionToken" value="#[transactionToken]#"/>
       <fieldset>
       <legend>Recorded Actions</legend>
       <br />

diff --git a/htroot/Table_API_p.java b/htroot/Table_API_p.java
@@ -35,6 +35,7 @@
 import net.yacy.cora.protocol.Domains;
 import net.yacy.cora.protocol.RequestHeader;
 import net.yacy.cora.util.ConcurrentLog;
+import net.yacy.data.TransactionManager;
 import net.yacy.data.WorkTables;
 import net.yacy.kelondro.blob.Tables;
 import net.yacy.kelondro.blob.Tables.Row;
@@ -46,10 +47,10 @@
 
 public class Table_API_p {
 
-    public static serverObjects respond(@SuppressWarnings("unused") final RequestHeader header, final serverObjects post, final serverSwitch env) {
+    public static serverObjects respond(final RequestHeader header, final serverObjects post, final serverSwitch env) {
         final Switchboard sb = (Switchboard) env;
         final serverObjects prop = new serverObjects();
-
+        
         prop.put("showexec", 0);
         prop.put("showtable", 0);
 
@@ -85,6 +86,10 @@ public static serverObjects respond(@SuppressWarnings("unused") final RequestHea
             current_pk = post.get("current_pk", "");
         }
         if (post != null && scheduleeventaction && !current_pk.isEmpty()) {
+
+        	/* Check this is a valid transaction */
+        	TransactionManager.checkPostTransaction(header, post);
+
             try {
                 Tables.Row row = sb.tables.select(WorkTables.TABLE_API_NAME, current_pk.getBytes());
                 if (row != null) {
@@ -150,6 +155,10 @@ public static serverObjects respond(@SuppressWarnings("unused") final RequestHea
         }
 
         if (post != null && !post.get("deleterows", "").isEmpty()) {
+
+        	/* Check this is a valid transaction */
+        	TransactionManager.checkPostTransaction(header, post);
+
             for (final Map.Entry<String, String> entry : post.entrySet()) {
                 if (entry.getValue().startsWith("mark_")) {
                     try {
@@ -162,6 +171,10 @@ public static serverObjects respond(@SuppressWarnings("unused") final RequestHea
         }
 
         if (post != null && !post.get("deleteold", "").isEmpty()) {
+
+        	/* Check this is a valid transaction */
+        	TransactionManager.checkPostTransaction(header, post);
+
             int days = post.getInt("deleteoldtime", 365);
             try {
                 Iterator<Row> ri = sb.tables.iterator(WorkTables.TABLE_API_NAME);
@@ -199,6 +212,10 @@ public static serverObjects respond(@SuppressWarnings("unused") final RequestHea
         }
 
         if (post != null && !post.get("execrows", "").isEmpty()) {
+
+        	/* Check this is a valid transaction */
+        	TransactionManager.checkPostTransaction(header, post);
+
             // create a time-ordered list of events to execute
             final Set<String> pks = new TreeSet<String>();
             for (final Map.Entry<String, String> entry : post.entrySet()) {
@@ -234,6 +251,11 @@ record = resultIterator.next();
         // generate table
         prop.put("showtable", 1);
         prop.put("showtable_inline", inline ? 1 : 0);
+
+        /* Acquire a transaction token for the next POST form submission */
+        final String nextTransactionToken = TransactionManager.getTransactionToken(header);
+        prop.put(TransactionManager.TRANSACTION_TOKEN_PARAM, nextTransactionToken);
+        prop.put("showtable_" + TransactionManager.TRANSACTION_TOKEN_PARAM, nextTransactionToken);
 
         // insert rows
         final List<Tables.Row> table = new ArrayList<Tables.Row>(maximumRecords);

diff --git a/htroot/Translator_p.html b/htroot/Translator_p.html
@@ -13,6 +13,7 @@ <h2>Translation Editor</h2>
 
     <p>Translate untranslated text of the user interface (current language). The modified translation file is stored in DATA/LOCALE directory.</p>
     <form id="Translation" method="post" action="Translator_p.html" enctype="multipart/form-data" accept-charset="UTF-8">
+      <input type="hidden" name="transactionToken" value="#[transactionToken]#"/>
       <fieldset>
         <legend>
           <label>UI Translation</label>

diff --git a/htroot/Translator_p.java b/htroot/Translator_p.java
@@ -24,6 +24,7 @@
 import java.util.Map;
 import net.yacy.cora.protocol.RequestHeader;
 import net.yacy.cora.util.ConcurrentLog;
+import net.yacy.data.TransactionManager;
 import net.yacy.search.Switchboard;
 import net.yacy.search.SwitchboardConstants;
 import net.yacy.server.serverObjects;
@@ -33,7 +34,7 @@
 
 public class Translator_p {
 
-    public static servletProperties respond(@SuppressWarnings("unused") final RequestHeader requestHeader, @SuppressWarnings("unused") final serverObjects post, @SuppressWarnings("unused") final serverSwitch env) {
+    public static servletProperties respond(final RequestHeader requestHeader, final serverObjects post, final serverSwitch env) {
         try {
             final servletProperties prop = new servletProperties();
             final Switchboard sb = (Switchboard) env;
@@ -112,6 +113,9 @@ public static servletProperties respond(@SuppressWarnings("unused") final Reques
                     }
                     // handle (modified) input text
                     if (i == textlistid && post != null) {
+                    	/* Check this is a valid transaction */
+                    	TransactionManager.checkPostTransaction(requestHeader, post);
+
                         if (editapproved) { // switch already translated in edit mode by copying to local translation
                             // not saved here as not yet modified/approved
                             localTransMgr.addTranslation(localTrans, filename, sourcetext, targettxt);
@@ -138,6 +142,9 @@ public static servletProperties respond(@SuppressWarnings("unused") final Reques
                     changed = true;
                 }
                 if (changed) {
+                	/* Check this is a valid transaction */
+                	TransactionManager.checkPostTransaction(requestHeader, post);
+
                     localTransMgr.saveAsLngFile(langcfg, locallngfile, localTrans);
                     // adhoc translate this file
                     // 1. get/calc the path
@@ -150,6 +157,10 @@ public static servletProperties respond(@SuppressWarnings("unused") final Reques
                     localTransMgr.translateFile(sourceFile, destFile, origTextList); // do the translation
                 }
             }
+
+            /* Acquire a transaction token for the next POST form submission */
+            prop.put(TransactionManager.TRANSACTION_TOKEN_PARAM, TransactionManager.getTransactionToken(requestHeader));
+
             prop.put("textlist", i);
             return prop;
         } catch (IOException ex) {