Skip to content

Commit

Permalink
* adminAccountForLocalhost only for localhost
Browse files Browse the repository at this point in the history 
* yacy crawls local domains also, if no password is set (the interface is already protected)
* it's not required anymore, to set a password in intranet mode

git-svn-id: https://svn.berlios.de/svnroot/repos/yacy/trunk@7436 6c8d7289-2bf4-0310-a012-ef5d649a1542
  • Loading branch information
f1ori committed Jan 17, 2011
1 parent c9cd03b commit a321c76
Show file tree
Hide file tree
Showing 9 changed files with 39 additions and 49 deletions.
1 change: 0 additions & 1 deletion htroot/ConfigAccounts_p.html
View file
Expand Up @@ -24,7 +24,6 @@ <h2>User Administration</h2>
::
<p class="error">Username too short. Username must be >= 4 Characters.</p>
#(/error)#
#(commitIntranetWarning)#::<div class="error">With an intranet indexing configuration it is not allowed to authentify automatically from localhost!</div>#(/commitIntranetWarning)#
#(passwordNotSetWarning)#::<div class="error">No password is set for the administration account. Please define a password for the admin account.</div>#(/passwordNotSetWarning)#

<fieldset><legend>Admin Account</legend>
Expand Down
24 changes: 9 additions & 15 deletions htroot/ConfigAccounts_p.java
View file
Expand Up @@ -68,21 +68,15 @@ public static serverObjects respond(final RequestHeader header, final serverObje
}

if (localhostAccess) {
if (sb.crawlStacker.acceptLocalURLs()) {
// in this case it is not allowed to use a localhostAccess option
prop.put("commitIntranetWarning", 1);
localhostAccess = false;
sb.setConfig("adminAccountForLocalhost", false);
} else {
sb.setConfig("adminAccountForLocalhost", true);
// if an localhost access is configured, check if a local password is given
// if not, set a random password
if (env.getConfig(HTTPDemon.ADMIN_ACCOUNT_B64MD5, "").length() == 0) {
// make a 'random' password
env.setConfig(HTTPDemon.ADMIN_ACCOUNT_B64MD5, "0000" + Digest.encodeMD5Hex(System.getProperties().toString() + System.currentTimeMillis()));
env.setConfig("adminAccount", "");
}
}

sb.setConfig("adminAccountForLocalhost", true);
// if an localhost access is configured, check if a local password is given
// if not, set a random password
if (env.getConfig(HTTPDemon.ADMIN_ACCOUNT_B64MD5, "").length() == 0) {
// make a 'random' password
env.setConfig(HTTPDemon.ADMIN_ACCOUNT_B64MD5, "0000" + sb.genRandomPassword());
env.setConfig("adminAccount", "");
}
} else {
sb.setConfig("adminAccountForLocalhost", false);
if (env.getConfig(HTTPDemon.ADMIN_ACCOUNT_B64MD5, "").startsWith("0000")) {
Expand Down
1 change: 0 additions & 1 deletion htroot/ConfigNetwork_p.html
View file
Expand Up @@ -47,7 +47,6 @@ <h2>Network Configuration</h2>
#(commitDHTIsRobinson)#::<div class="error">For P2P operation, at least DHT distribution or DHT receive (or both) must be set. You have thus defined a Robinson configuration.</div>#(/commitDHTIsRobinson)#
#(commitDHTNoGlobalSearch)#::<div class="error">Global Search in P2P configuration is only allowed, if index receive is switched on. You have a P2P configuration, but are not allowed to search other peers.</div>#(/commitDHTNoGlobalSearch)#
#(commitRobinson)#::<div class="commit">For Robinson Mode, index distribution and receive is switched off.</div>#(/commitRobinson)#
#(commitPasswordWarning)#::<div class="error">With this configuration it is not allowed to authentify automatically from localhost! Please open the <a href="ConfigAccounts_p.html">Account Configuration</a> and set a new password.</div>#(/commitPasswordWarning)#
<form id="NetworkForm" method="post" action="ConfigNetwork_p.html" enctype="multipart/form-data" accept-charset="UTF-8">
<fieldset>
<legend>
Expand Down
5 changes: 0 additions & 5 deletions htroot/ConfigNetwork_p.java
View file
Expand Up @@ -35,7 +35,6 @@
import net.yacy.kelondro.util.MapTools;

import de.anomic.data.WorkTables;
import de.anomic.http.server.HTTPDemon;
import de.anomic.search.Switchboard;
import de.anomic.search.SwitchboardConstants;
import de.anomic.server.serverObjects;
Expand Down Expand Up @@ -67,10 +66,6 @@ public static serverObjects respond(final RequestHeader header, final serverObje
// shut down old network and index, start up new network and index
commit = 1;
sb.switchNetwork(networkDefinition);
// check if the password is given
if (sb.getConfig(HTTPDemon.ADMIN_ACCOUNT_B64MD5, "").length() == 0) {
prop.put("commitPasswordWarning", "1");
}
}
}

Expand Down
2 changes: 1 addition & 1 deletion source/de/anomic/http/server/HTTPDFileHandler.java
View file
Expand Up @@ -293,7 +293,7 @@ public static void doResponse(final Properties conProp, final RequestHeader requ

final boolean adminAccountForLocalhost = sb.getConfigBool("adminAccountForLocalhost", false);
final String refererHost = requestHeader.refererHost();
boolean accessFromLocalhost = Domains.isLocal(clientIP) && (refererHost == null || refererHost.length() == 0 || Domains.isLocal(refererHost));
boolean accessFromLocalhost = Domains.isLocalhost(clientIP) && (refererHost == null || refererHost.length() == 0 || Domains.isLocalhost(refererHost));
final boolean grantedForLocalhost = adminAccountForLocalhost && accessFromLocalhost;
final boolean protectedPage = path.indexOf("_p.") > 0;
final boolean accountEmpty = adminAccountBase64MD5.length() == 0;
Expand Down
28 changes: 6 additions & 22 deletions source/de/anomic/search/Switchboard.java
View file
Expand Up @@ -103,7 +103,6 @@
import net.yacy.kelondro.index.RowSpaceExceededException;
import net.yacy.kelondro.logging.Log;
import net.yacy.kelondro.order.Base64Order;
import net.yacy.kelondro.order.Digest;
import net.yacy.kelondro.order.NaturalOrder;
import net.yacy.kelondro.util.EventTracker;
import net.yacy.kelondro.util.FileUtils;
Expand Down Expand Up @@ -552,8 +551,7 @@ public Switchboard(final File dataPath, final File appPath, final String initPat
// that an automatic authorization of localhost is done, because in this case crawls from local
// addresses are blocked to prevent attack szenarios where remote pages contain links to localhost
// addresses that can steer a YaCy peer
if ((crawlStacker.acceptLocalURLs()) && (getConfigBool("adminAccountForLocalhost", false))) {
setConfig("adminAccountForLocalhost", false);
if ((getConfigBool("adminAccountForLocalhost", false))) {
if (getConfig(HTTPDemon.ADMIN_ACCOUNT_B64MD5, "").startsWith("0000")) {
// the password was set automatically with a random value.
// We must remove that here to prevent that a user cannot log in any more
Expand Down Expand Up @@ -921,20 +919,6 @@ public void switchNetwork(final String networkDefinition) throws FileNotFoundExc
continueCrawlJob(SwitchboardConstants.CRAWLJOB_REMOTE_TRIGGERED_CRAWL);
log.logInfo("SWITCH NETWORK: FINISHED START UP, new network is now '" + networkDefinition + "'.");

// check status of account configuration: when local url crawling is allowed, it is not allowed
// that an automatic authorization of localhost is done, because in this case crawls from local
// addresses are blocked to prevent attack szenarios where remote pages contain links to localhost
// addresses that can steer a YaCy peer
if ((crawlStacker.acceptLocalURLs()) && (getConfigBool("adminAccountForLocalhost", false))) {
setConfig("adminAccountForLocalhost", false);
if (getConfig(HTTPDemon.ADMIN_ACCOUNT_B64MD5, "").startsWith("0000")) {
// the password was set automatically with a random value.
// We must remove that here to prevent that a user cannot log in any more
setConfig(HTTPDemon.ADMIN_ACCOUNT_B64MD5, "");
// after this a message must be generated to alert the user to set a new password
log.logInfo("RANDOM PASSWORD REMOVED! User must set a new password");
}
}
// set the network-specific remote crawl ppm
setRemotecrawlPPM(Math.max(1, (int) getConfigLong("network.unit.remotecrawl.speed", 60)));
}
Expand Down Expand Up @@ -1461,9 +1445,9 @@ public boolean cleanupJob() {
}

// set a random password if no password is configured
if (!crawlStacker.acceptLocalURLs() && getConfigBool("adminAccountForLocalhost", false) && getConfig(HTTPDemon.ADMIN_ACCOUNT_B64MD5, "").length() == 0) {
if (getConfigBool("adminAccountForLocalhost", false) && getConfig(HTTPDemon.ADMIN_ACCOUNT_B64MD5, "").length() == 0) {
// make a 'random' password
setConfig(HTTPDemon.ADMIN_ACCOUNT_B64MD5, "0000" + Digest.encodeMD5Hex(System.getProperties().toString() + System.currentTimeMillis()));
setConfig(HTTPDemon.ADMIN_ACCOUNT_B64MD5, "0000" + this.genRandomPassword());
setConfig("adminAccount", "");
}

Expand Down Expand Up @@ -2076,9 +2060,9 @@ public boolean accessFromLocalhost(final RequestHeader requestHeader) {

// authorization for localhost, only if flag is set to grant localhost access as admin
final String clientIP = requestHeader.get(HeaderFramework.CONNECTION_PROP_CLIENTIP, "");
if (!Domains.isLocal(clientIP)) return false;
if (!Domains.isLocalhost(clientIP)) return false;
final String refererHost = requestHeader.refererHost();
return refererHost == null || refererHost.length() == 0 || Domains.isLocal(refererHost);
return refererHost == null || refererHost.length() == 0 || Domains.isLocalhost(refererHost);
}

public int adminAuthenticated(final RequestHeader requestHeader) {
Expand All @@ -2091,7 +2075,7 @@ public int adminAuthenticated(final RequestHeader requestHeader) {
final String authorization = (requestHeader.get(RequestHeader.AUTHORIZATION, "xxxxxx")).trim().substring(6);

// security check against too long authorization strings
if (authorization.length() > 256) return 0;
if (authorization.length() > 256) return 0;

// authorization by encoded password, only for localhost access
final String adminAccountBase64MD5 = getConfig(HTTPDemon.ADMIN_ACCOUNT_B64MD5, "");
Expand Down
16 changes: 16 additions & 0 deletions source/de/anomic/server/serverSwitch.java
View file
Expand Up @@ -35,6 +35,7 @@
import java.util.Collection;
import java.util.Iterator;
import java.util.Map;
import java.util.Random;
import java.util.TreeMap;
import java.util.concurrent.ConcurrentHashMap;

Expand All @@ -44,6 +45,7 @@
import net.yacy.cora.protocol.RequestHeader;
import net.yacy.cora.protocol.http.HTTPClient;
import net.yacy.kelondro.logging.Log;
import net.yacy.kelondro.order.Digest;
import net.yacy.kelondro.util.FileUtils;
import net.yacy.kelondro.workflow.BusyThread;
import net.yacy.kelondro.workflow.WorkflowThread;
Expand Down Expand Up @@ -611,4 +613,18 @@ public Reader getConfigFileFromWebOrLocally(String uri, String rootPath, File fi
}
}

private static Random pwGenerator = new Random();

/**
* generates a random password
*/
public String genRandomPassword() {
return genRandomPassword(20);
}
public String genRandomPassword(int length) {
byte[] bytes = new byte[length];
pwGenerator.nextBytes(bytes);
return Digest.encodeMD5Hex(bytes);
}

}
7 changes: 7 additions & 0 deletions source/net/yacy/cora/protocol/Domains.java
View file
Expand Up @@ -742,6 +742,13 @@ public static int getDomainID(final String host) {
if (i == null) return TLD_Generic_ID;
return i.intValue();
}

public static boolean isLocalhost(final String host) {
if (host.equals("127.0.0.1")) return true;
if (host.equals("localhost")) return true;
if (host.startsWith("0:0:0:0:0:0:0:1")) return true;
return false;
}

public static boolean isLocal(final String host) {
return isLocal(host, true);
Expand Down
4 changes: 0 additions & 4 deletions source/net/yacy/repository/LoaderDispatcher.java
View file
Expand Up @@ -184,10 +184,6 @@ private Response loadInternal(final Request request, CrawlProfile.CacheStrategy
final String protocol = url.getProtocol();
final String host = url.getHost();

// check if this loads a page from localhost, which must be prevented to protect the server
// against attacks to the administration interface when localhost access is granted
if (url.isLocal() && sb.getConfigBool("adminAccountForLocalhost", false)) throw new IOException("access to localhost not granted for url " + url);

// check if we have the page in the cache
final Map<String, String> mp = sb.crawler.profilesActiveCrawls.get(request.profileHandle().getBytes());
CrawlProfile crawlProfile = mp == null ? null : new CrawlProfile(mp);
Expand Down

0 comments on commit a321c76

Please sign in to comment.