From d9d1c8de705ad2e001a002ff72f2499796ea7b59 Mon Sep 17 00:00:00 2001
From: orbiter <orbiter@6c8d7289-2bf4-0310-a012-ef5d649a1542>
Date: Mon, 19 May 2008 23:05:19 +0000
Subject: [PATCH] more protection against remote shutdown attacks: prevent
 loading using the crawler

git-svn-id: https://svn.berlios.de/svnroot/repos/yacy/trunk@4829 6c8d7289-2bf4-0310-a012-ef5d649a1542
---
 htroot/Collage.java                          | 28 ++++++++++++++------
 source/de/anomic/crawler/ProtocolLoader.java |  5 ++++
 2 files changed, 25 insertions(+), 8 deletions(-)

diff --git a/htroot/Collage.java b/htroot/Collage.java
index 80594db11..15b6f7587 100755
--- a/htroot/Collage.java
+++ b/htroot/Collage.java
@@ -42,8 +42,10 @@ import java.util.Random;
 import de.anomic.crawler.ResultImages;
 import de.anomic.http.httpHeader;
 import de.anomic.plasma.plasmaSwitchboard;
+import de.anomic.server.serverCore;
 import de.anomic.server.serverObjects;
 import de.anomic.server.serverSwitch;
+import de.anomic.yacy.yacyURL;
 
 public class Collage {
     private static           int fifoMax  = 20;
@@ -98,20 +100,30 @@ public class Collage {
         
         if (fifoSize > 0) {
             prop.put("imgurl", "1");        
-        
-            for (int i = 0; i < fifoSize; i++)
-              prop.put("imgurl_list_" + i + "_url",
-                       "<a href=\"" + origins[i].baseURL.toNormalform(true, false) + "\">"
-                       + "<img src=\"" + origins[i].imageEntry.url().toNormalform(true, false) + "\" "
+            int c = 0;
+            for (int i = 0; i < fifoSize; i++) {
+             
+                yacyURL baseURL = origins[i].baseURL;
+                yacyURL imageURL = origins[i].imageEntry.url();
+                
+                // check if this loads a page from localhost, which must be prevented to protect the server
+                // against attacks to the administration interface when localhost access is granted
+                if ((serverCore.isLocalhost(baseURL.getHost()) || serverCore.isLocalhost(imageURL.getHost())) &&
+                    sb.getConfigBool("adminAccountForLocalhost", false)) continue;
+                
+                prop.put("imgurl_list_" + c + "_url",
+                       "<a href=\"" + baseURL.toNormalform(true, false) + "\">"
+                       + "<img src=\"" + imageURL.toNormalform(true, false) + "\" "
                        + "style=\""
                        + ((imgWidth[i] == 0 || imgHeight[i] == 0) ? "" : "width:" + imgWidth[i] + "px;height:" + imgHeight[i] + "px;")
                        + "position:absolute;top:" + imgPosY[i]
                        + "px;left:" + imgPosX[i]
                        + "px;z-index:" + imgZIndex[i] + "\""
-                       + "title=\"" + origins[i].baseURL.toNormalform(true, false) + "\">"
+                       + "title=\"" + baseURL.toNormalform(true, false) + "\">"
                        + "</a><br>");
-
-            prop.put("imgurl_list", fifoSize);
+                c++;
+            }
+            prop.put("imgurl_list", c);
         } else {
             prop.put("imgurl", "0");
         }
diff --git a/source/de/anomic/crawler/ProtocolLoader.java b/source/de/anomic/crawler/ProtocolLoader.java
index 753287154..e82a45faf 100644
--- a/source/de/anomic/crawler/ProtocolLoader.java
+++ b/source/de/anomic/crawler/ProtocolLoader.java
@@ -34,6 +34,7 @@ import java.util.concurrent.ConcurrentHashMap;
 
 import de.anomic.plasma.plasmaHTCache;
 import de.anomic.plasma.plasmaSwitchboard;
+import de.anomic.server.serverCore;
 import de.anomic.server.logging.serverLog;
 
 public final class ProtocolLoader {
@@ -72,6 +73,10 @@ public final class ProtocolLoader {
         String protocol = entry.url().getProtocol();
         String host = entry.url().getHost();
         
+        // check if this loads a page from localhost, which must be prevented to protect the server
+        // against attacks to the administration interface when localhost access is granted
+        if (serverCore.isLocalhost(host) && sb.getConfigBool("adminAccountForLocalhost", false)) return null;
+        
         // check access time
         if (!entry.url().isLocal()) {
             Long lastAccess = accessTime.get(host);