Mirrors/yacy_search_server
1
0
Fork 0
mirror of https://github.com/yacy/yacy_search_server.git synced 2025-07-19 08:44:42 -04:00
Code Issues Packages Projects Releases Wiki Activity

Enforced access controls on a few more administration pages.

Browse Source 
- ensure use of HTTP POST method when performing server side effect
operations
 - transaction token required to ensure the request has effectively been
requested by user interaction
This commit is contained in:
luccioman
2017-04-03 12:20:16 +02:00
parent 0feded21dd
commit 665d087d76
6 changed files with 46 additions and 3 deletions

1
htroot/ConfigPortal_p.html

@ -16,6 +16,7 @@
To change also colours and styles use the <a href="ConfigAppearance_p.html">Appearance Servlet</a> for different skins and languages.
</p>
<form action="ConfigPortal_p.html" method="post" enctype="multipart/form-data" id="ConfigPortal" accept-charset="UTF-8">
<input type="hidden" name="transactionToken" value="#[transactionToken]#"/>
<fieldset>
<dl>
<dt>Greeting Line</dt>

7
htroot/ConfigPortal_p.java

@ -35,6 +35,7 @@ import java.util.Properties;
import net.yacy.cora.document.id.DigestURL;
import net.yacy.cora.protocol.RequestHeader;
import net.yacy.cora.util.ConcurrentLog;
import net.yacy.data.TransactionManager;
import net.yacy.data.WorkTables;
import net.yacy.http.servlets.YaCyDefaultServlet;
import net.yacy.search.Switchboard;
@ -50,6 +51,9 @@ public class ConfigPortal_p {
final Switchboard sb = (Switchboard) env;
if (post != null) {
/* Check this is a valid transaction */
TransactionManager.checkPostTransaction(header, post);
if (post.containsKey("popup")) {
final String popup = post.get("popup", "status");
if ("front".equals(popup)) {
@ -154,6 +158,9 @@ public class ConfigPortal_p {
sb.setConfig("search.excludehosth", config.getProperty("search.excludehosth",""));
}
}
/* Acquire a transaction token for the next POST form submission */
prop.put(TransactionManager.TRANSACTION_TOKEN_PARAM, TransactionManager.getTransactionToken(header));
prop.putHTML(SwitchboardConstants.GREETING, sb.getConfig(SwitchboardConstants.GREETING, ""));
prop.putHTML(SwitchboardConstants.GREETING_HOMEPAGE, sb.getConfig(SwitchboardConstants.GREETING_HOMEPAGE, ""));

1
htroot/Table_API_p.html

@ -46,6 +46,7 @@ To see a list of all APIs, please visit the <a href="http://www.yacy-websuche.de
#(showtable)#::
<form action="Table_API_p.html" method="post" enctype="multipart/form-data" accept-charset="UTF-8" id="apilist">
<input type="hidden" name="transactionToken" value="#[transactionToken]#"/>
<fieldset>
<legend>Recorded Actions</legend>
<br />

26
htroot/Table_API_p.java

@ -35,6 +35,7 @@ import net.yacy.cora.document.id.MultiProtocolURL;
import net.yacy.cora.protocol.Domains;
import net.yacy.cora.protocol.RequestHeader;
import net.yacy.cora.util.ConcurrentLog;
import net.yacy.data.TransactionManager;
import net.yacy.data.WorkTables;
import net.yacy.kelondro.blob.Tables;
import net.yacy.kelondro.blob.Tables.Row;
@ -46,10 +47,10 @@ import net.yacy.server.serverSwitch;
public class Table_API_p {
public static serverObjects respond(@SuppressWarnings("unused") final RequestHeader header, final serverObjects post, final serverSwitch env) {
public static serverObjects respond(final RequestHeader header, final serverObjects post, final serverSwitch env) {
final Switchboard sb = (Switchboard) env;
final serverObjects prop = new serverObjects();
prop.put("showexec", 0);
prop.put("showtable", 0);
@ -85,6 +86,10 @@ public class Table_API_p {
current_pk = post.get("current_pk", "");
}
if (post != null && scheduleeventaction && !current_pk.isEmpty()) {
/* Check this is a valid transaction */
TransactionManager.checkPostTransaction(header, post);
try {
Tables.Row row = sb.tables.select(WorkTables.TABLE_API_NAME, current_pk.getBytes());
if (row != null) {
@ -150,6 +155,10 @@ public class Table_API_p {
}
if (post != null && !post.get("deleterows", "").isEmpty()) {
/* Check this is a valid transaction */
TransactionManager.checkPostTransaction(header, post);
for (final Map.Entry<String, String> entry : post.entrySet()) {
if (entry.getValue().startsWith("mark_")) {
try {
@ -162,6 +171,10 @@ public class Table_API_p {
}
if (post != null && !post.get("deleteold", "").isEmpty()) {
/* Check this is a valid transaction */
TransactionManager.checkPostTransaction(header, post);
int days = post.getInt("deleteoldtime", 365);
try {
Iterator<Row> ri = sb.tables.iterator(WorkTables.TABLE_API_NAME);
@ -199,6 +212,10 @@ public class Table_API_p {
}
if (post != null && !post.get("execrows", "").isEmpty()) {
/* Check this is a valid transaction */
TransactionManager.checkPostTransaction(header, post);
// create a time-ordered list of events to execute
final Set<String> pks = new TreeSet<String>();
for (final Map.Entry<String, String> entry : post.entrySet()) {
@ -234,6 +251,11 @@ public class Table_API_p {
// generate table
prop.put("showtable", 1);
prop.put("showtable_inline", inline ? 1 : 0);
/* Acquire a transaction token for the next POST form submission */
final String nextTransactionToken = TransactionManager.getTransactionToken(header);
prop.put(TransactionManager.TRANSACTION_TOKEN_PARAM, nextTransactionToken);
prop.put("showtable_" + TransactionManager.TRANSACTION_TOKEN_PARAM, nextTransactionToken);
// insert rows
final List<Tables.Row> table = new ArrayList<Tables.Row>(maximumRecords);

1
htroot/Translator_p.html

@ -13,6 +13,7 @@
<p>Translate untranslated text of the user interface (current language). The modified translation file is stored in DATA/LOCALE directory.</p>
<form id="Translation" method="post" action="Translator_p.html" enctype="multipart/form-data" accept-charset="UTF-8">
<input type="hidden" name="transactionToken" value="#[transactionToken]#"/>
<fieldset>
<legend>
<label>UI Translation</label>

13
htroot/Translator_p.java

@ -24,6 +24,7 @@ import java.util.Iterator;
import java.util.Map;
import net.yacy.cora.protocol.RequestHeader;
import net.yacy.cora.util.ConcurrentLog;
import net.yacy.data.TransactionManager;
import net.yacy.search.Switchboard;
import net.yacy.search.SwitchboardConstants;
import net.yacy.server.serverObjects;
@ -33,7 +34,7 @@ import net.yacy.utils.translation.TranslationManager;
public class Translator_p {
public static servletProperties respond(@SuppressWarnings("unused") final RequestHeader requestHeader, @SuppressWarnings("unused") final serverObjects post, @SuppressWarnings("unused") final serverSwitch env) {
public static servletProperties respond(final RequestHeader requestHeader, final serverObjects post, final serverSwitch env) {
try {
final servletProperties prop = new servletProperties();
final Switchboard sb = (Switchboard) env;
@ -112,6 +113,9 @@ public class Translator_p {
}
// handle (modified) input text
if (i == textlistid && post != null) {
/* Check this is a valid transaction */
TransactionManager.checkPostTransaction(requestHeader, post);
if (editapproved) { // switch already translated in edit mode by copying to local translation
// not saved here as not yet modified/approved
localTransMgr.addTranslation(localTrans, filename, sourcetext, targettxt);
@ -138,6 +142,9 @@ public class Translator_p {
changed = true;
}
if (changed) {
/* Check this is a valid transaction */
TransactionManager.checkPostTransaction(requestHeader, post);
localTransMgr.saveAsLngFile(langcfg, locallngfile, localTrans);
// adhoc translate this file
// 1. get/calc the path
@ -150,6 +157,10 @@ public class Translator_p {
localTransMgr.translateFile(sourceFile, destFile, origTextList); // do the translation
}
}
/* Acquire a transaction token for the next POST form submission */
prop.put(TransactionManager.TRANSACTION_TOKEN_PARAM, TransactionManager.getTransactionToken(requestHeader));
prop.put("textlist", i);
return prop;
} catch (IOException ex) {