Enforced access controls to System settings pages

2024-09-19 00:01:41 +02:00 · 2018-09-19 09:18:36 +02:00 · 2018-09-19 09:18:36 +02:00 · 4ed055bcdf
commit 4ed055bcdf
parent de6820d257
14 changed files with 21 additions and 0 deletions
--- a/htroot/SettingsAck_p.java
+++ b/htroot/SettingsAck_p.java
@ -35,6 +35,7 @@ import java.util.regex.PatternSyntaxException;

 import net.yacy.cora.order.Digest;
 import net.yacy.cora.protocol.RequestHeader;
+import net.yacy.data.TransactionManager;
 import net.yacy.http.InetPathAccessHandler;
 import net.yacy.kelondro.util.Formatter;
 import net.yacy.peers.Network;
@ -66,6 +67,9 @@ public class SettingsAck_p {
            prop.put("info", "1");//no information submitted
            return prop;
        }
+        
+    	/* Check this is a valid transaction */
+    	TransactionManager.checkPostTransaction(header, post);

        // admin password
        if (post.containsKey("adminaccount")) {
--- a/htroot/Settings_Crawler.inc
+++ b/htroot/Settings_Crawler.inc
@ -1,4 +1,5 @@
 <form action="SettingsAck_p.html" method="post" enctype="multipart/form-data">
+<input type="hidden" name="transactionToken" value="#[transactionToken]#"/>
 <fieldset><legend id="admin">Crawler Settings</legend>
 <table border="0" cellspacing="5" width="100%">
  <tr><td colspan="3"><p><strong>Generic Crawler Settings</strong>:</p></td></tr>
--- a/htroot/Settings_Debug.inc
+++ b/htroot/Settings_Debug.inc
@ -5,6 +5,7 @@
 </div>

 <form action="SettingsAck_p.html" method="post" enctype="multipart/form-data" class="form-horizontal">
+	<input type="hidden" name="transactionToken" value="#[transactionToken]#"/>
 	<fieldset>
 		<legend>Solr communication</legend>
 		
--- a/htroot/Settings_MessageForwarding.inc
+++ b/htroot/Settings_MessageForwarding.inc
@ -1,4 +1,5 @@
 <form action="SettingsAck_p.html" method="post" enctype="multipart/form-data">
+<input type="hidden" name="transactionToken" value="#[transactionToken]#"/>
 <fieldset><legend id="messageForwarding">Message Forwarding</legend>
 <p>With this settings you can activate or deactivate forwarding of yacy-messages via email.</p>
 <table border="0" cellspacing="5">
--- a/htroot/Settings_Proxy.inc
+++ b/htroot/Settings_Proxy.inc
@ -1,4 +1,5 @@
 <form action="SettingsAck_p.html" method="post" enctype="multipart/form-data">
+<input type="hidden" name="transactionToken" value="#[transactionToken]#"/>
 <fieldset><legend id="proxy">Remote Proxy (optional)</legend>
 <p>YaCy can use another proxy to connect to the internet. You can enter the address for the remote proxy here:</p>

--- a/htroot/Settings_ProxyAccess.inc
+++ b/htroot/Settings_ProxyAccess.inc
@ -1,4 +1,5 @@
 <form action="SettingsAck_p.html" method="post" enctype="multipart/form-data">
+<input type="hidden" name="transactionToken" value="#[transactionToken]#"/>
 <fieldset><legend id="http">Proxy Settings</legend>
 <table border="0" cellspacing="5">
  <tr valign="top">
@ -38,6 +39,7 @@
 </fieldset>
 </form>
 <form action="SettingsAck_p.html" method="post" enctype="multipart/form-data">
+<input type="hidden" name="transactionToken" value="#[transactionToken]#"/>
 <fieldset><legend id="ProxyAccess">Proxy Access Settings</legend>
 <p>
  These settings configure the access method to your own http proxy and server.
--- a/htroot/Settings_Referrer.inc
+++ b/htroot/Settings_Referrer.inc
@ -13,6 +13,7 @@ Visited websites can process this information as they whish, so this can become
 </p>

 <form action="SettingsAck_p.html" method="post" class="form-horizontal">
+	<input type="hidden" name="transactionToken" value="#[transactionToken]#"/>
 	<fieldset>
 		<legend>Global policy</legend>
 		
--- a/htroot/Settings_Seed.inc
+++ b/htroot/Settings_Seed.inc
@ -11,6 +11,7 @@
  but only if there have been changes to the seed-list.
 </p>
 <form action="SettingsAck_p.html" method="post" enctype="multipart/form-data">
+<input type="hidden" name="transactionToken" value="#[transactionToken]#"/>
 <table border="0" cellspacing="5">
  <tr valign="top">
    <td><label for="method">Upload Method</label>:</td>
--- a/htroot/Settings_Seed_UploadFile.inc
+++ b/htroot/Settings_Seed_UploadFile.inc
@ -2,6 +2,7 @@
 <p><strong>Store into filesystem:</strong></p>
 <p>You must configure this if you want to store the seed-list file onto the file system.</p>
 <form action="SettingsAck_p.html" method="post">
+<input type="hidden" name="transactionToken" value="#[transactionToken]#"/>
 <table border="0" cellspacing="5">
  <tr valign="top">
    <td><label for="fs_path">File Location:</label></td>
--- a/htroot/Settings_Seed_UploadFtp.inc
+++ b/htroot/Settings_Seed_UploadFtp.inc
@ -7,6 +7,7 @@
  but only if there had been changes to the seed-list.
 </p>
 <form action="SettingsAck_p.html" method="post" enctype="multipart/form-data">
+<input type="hidden" name="transactionToken" value="#[transactionToken]#"/>
 <table border="0" cellspacing="5">
  <tr valign="top">
    <td><label for="ftp_server">Server</label>:</td>
--- a/htroot/Settings_Seed_UploadScp.inc
+++ b/htroot/Settings_Seed_UploadScp.inc
@ -2,6 +2,7 @@
 <p><strong>Uploading via SCP:</strong></p>
 <p>This is the account for a server where you are able to login via ssh.</p>
 <form action="SettingsAck_p.html" method="post" enctype="multipart/form-data">
+<input type="hidden" name="transactionToken" value="#[transactionToken]#"/>
 <table border="0" cellspacing="5">
  <tr valign="top">
    <td><label for="scp_serv">Server</label>:</td>
--- a/htroot/Settings_ServerAccess.inc
+++ b/htroot/Settings_ServerAccess.inc
@ -1,4 +1,5 @@
 <form action="SettingsAck_p.html" method="post" enctype="multipart/form-data">
+<input type="hidden" name="transactionToken" value="#[transactionToken]#"/>
 <fieldset><legend id="general">Server Access Settings</legend>
 <table border="0" cellspacing="5">
  <tr valign="top">
--- a/htroot/Settings_UrlProxyAccess.inc
+++ b/htroot/Settings_UrlProxyAccess.inc
@ -1,5 +1,6 @@

 <form id="urlproxysettings" action="SettingsAck_p.html" method="post" enctype="multipart/form-data">
+  <input type="hidden" name="transactionToken" value="#[transactionToken]#"/>
  <fieldset><legend id="urlproxy">URL Proxy Settings</legend>
    <p>
    With this settings you can activate or deactivate URL proxy.
--- a/htroot/Settings_p.java
+++ b/htroot/Settings_p.java
@ -26,6 +26,7 @@ import java.util.HashMap;
 import java.util.Iterator;

 import net.yacy.cora.protocol.RequestHeader;
+import net.yacy.data.TransactionManager;
 import net.yacy.http.ReferrerPolicy;
 import net.yacy.peers.Network;
 import net.yacy.peers.Seed;
@ -47,6 +48,9 @@ public final class Settings_p {
        
        final String page = (post == null) ? "general" : post.get("page", "general");
        
+        /* Acquire a transaction token for the next possible POST form submission */
+        prop.put(TransactionManager.TRANSACTION_TOKEN_PARAM, TransactionManager.getTransactionToken(header, "/SettingsAck_p.html"));
+        
        if (page.equals("ProxyAccess")) {
            prop.put("settingsTables", "Settings_ProxyAccess.inc");
        }