Author: toad
Date: 2008-12-11 22:53:08 +0000 (Thu, 11 Dec 2008)
New Revision: 24207
Modified:
trunk/freenet/src/freenet/clients/http/FProxyToadlet.java
trunk/freenet/src/freenet/clients/http/LinkEnabledCallback.java
trunk/freenet/src/freenet/clients/http/OpennetConnectionsToadlet.java
trunk/freenet/src/freenet/clients/http/PageMaker.java
trunk/freenet/src/freenet/clients/http/QueueToadlet.java
trunk/freenet/src/freenet/clients/http/SimpleToadletServer.java
trunk/freenet/src/freenet/clients/http/ToadletContainer.java
trunk/freenet/src/freenet/clients/http/ToadletContextImpl.java
trunk/freenet/src/freenet/l10n/freenet.l10n.en.properties
Log:
Public gateway mode: For connections that aren't in the allowed-full-access
list, turn off POST parsing, turn off global queue support, and turn off the
queue page on the menu.
Modified: trunk/freenet/src/freenet/clients/http/FProxyToadlet.java
===================================================================
--- trunk/freenet/src/freenet/clients/http/FProxyToadlet.java 2008-12-11
22:41:26 UTC (rev 24206)
+++ trunk/freenet/src/freenet/clients/http/FProxyToadlet.java 2008-12-11
22:53:08 UTC (rev 24207)
@@ -688,8 +688,8 @@
N2NTMToadlet n2ntmToadlet = new N2NTMToadlet(node, core,
client);
server.register(n2ntmToadlet, "/send_n2ntm/", true, true);
- QueueToadlet queueToadlet = new QueueToadlet(core,
core.getFCPServer(), client);
- server.register(queueToadlet, "/queue/", true,
"FProxyToadlet.queueTitle", "FProxyToadlet.queue", false, null);
+ QueueToadlet queueToadlet = new QueueToadlet(core,
core.getFCPServer(), client, server);
+ server.register(queueToadlet, "/queue/", true,
"FProxyToadlet.queueTitle", "FProxyToadlet.queue", false, queueToadlet);
StatisticsToadlet statisticsToadlet = new
StatisticsToadlet(node, core, client);
server.register(statisticsToadlet, "/stats/", true,
"FProxyToadlet.statsTitle", "FProxyToadlet.stats", true, null);
Modified: trunk/freenet/src/freenet/clients/http/LinkEnabledCallback.java
===================================================================
--- trunk/freenet/src/freenet/clients/http/LinkEnabledCallback.java
2008-12-11 22:41:26 UTC (rev 24206)
+++ trunk/freenet/src/freenet/clients/http/LinkEnabledCallback.java
2008-12-11 22:53:08 UTC (rev 24207)
@@ -2,7 +2,8 @@
public interface LinkEnabledCallback {
- /** Whether to show the link? */
- boolean isEnabled();
+ /** Whether to show the link?
+ * @param ctx */
+ boolean isEnabled(ToadletContext ctx);
}
Modified: trunk/freenet/src/freenet/clients/http/OpennetConnectionsToadlet.java
===================================================================
--- trunk/freenet/src/freenet/clients/http/OpennetConnectionsToadlet.java
2008-12-11 22:41:26 UTC (rev 24206)
+++ trunk/freenet/src/freenet/clients/http/OpennetConnectionsToadlet.java
2008-12-11 22:53:08 UTC (rev 24207)
@@ -50,7 +50,7 @@
return node.peers.getOpennetPeerNodeStatuses(noHeavy);
}
- public boolean isEnabled() {
+ public boolean isEnabled(ToadletContext ctx) {
return node.isOpennetEnabled();
}
Modified: trunk/freenet/src/freenet/clients/http/PageMaker.java
===================================================================
--- trunk/freenet/src/freenet/clients/http/PageMaker.java 2008-12-11
22:41:26 UTC (rev 24206)
+++ trunk/freenet/src/freenet/clients/http/PageMaker.java 2008-12-11
22:53:08 UTC (rev 24207)
@@ -163,7 +163,7 @@
HTMLNode navbarUl = navbarDiv.addChild("ul", "id",
"navlist");
for (String navigationLink : fullAccess ?
navigationLinkTexts : navigationLinkTextsNonFull) {
LinkEnabledCallback cb =
navigationLinkCallbacks.get(navigationLink);
- if(cb != null && !cb.isEnabled()) continue;
+ if(cb != null && !cb.isEnabled(ctx)) continue;
String navigationTitle =
navigationLinkTitles.get(navigationLink);
String navigationPath =
navigationLinks.get(navigationLink);
HTMLNode listItem = navbarUl.addChild("li");
Modified: trunk/freenet/src/freenet/clients/http/QueueToadlet.java
===================================================================
--- trunk/freenet/src/freenet/clients/http/QueueToadlet.java 2008-12-11
22:41:26 UTC (rev 24206)
+++ trunk/freenet/src/freenet/clients/http/QueueToadlet.java 2008-12-11
22:53:08 UTC (rev 24207)
@@ -55,7 +55,7 @@
import freenet.support.io.Closer;
import freenet.support.io.FileBucket;
-public class QueueToadlet extends Toadlet implements RequestCompletionCallback
{
+public class QueueToadlet extends Toadlet implements
RequestCompletionCallback, LinkEnabledCallback {
private static final int LIST_IDENTIFIER = 1;
private static final int LIST_SIZE = 2;
@@ -77,13 +77,15 @@
private NodeClientCore core;
final FCPServer fcp;
+ private ToadletContainer container;
private boolean isReversed = false;
- public QueueToadlet(NodeClientCore core, FCPServer fcp,
HighLevelSimpleClient client) {
+ public QueueToadlet(NodeClientCore core, FCPServer fcp,
HighLevelSimpleClient client, ToadletContainer container) {
super(client);
this.core = core;
this.fcp = fcp;
+ this.container = container;
if(fcp == null) throw new NullPointerException();
fcp.setCompletionCallback(this);
loadCompletedIdentifiers();
@@ -97,6 +99,11 @@
return;
}
+ if(container.publicGatewayMode() && !ctx.isAllowedFullAccess())
{
+ super.sendErrorPage(ctx, 403,
L10n.getString("Toadlet.unauthorizedTitle"),
L10n.getString("Toadlet.unauthorized"));
+ return;
+ }
+
boolean logMINOR = Logger.shouldLog(Logger.MINOR, this);
try {
@@ -492,6 +499,11 @@
return;
}
+ if(container.publicGatewayMode() && !ctx.isAllowedFullAccess())
{
+ super.sendErrorPage(ctx, 403,
L10n.getString("Toadlet.unauthorizedTitle"),
L10n.getString("Toadlet.unauthorized"));
+ return;
+ }
+
final String requestPath =
request.getPath().substring("/queue/".length());
if (requestPath.length() > 0) {
@@ -1432,4 +1444,8 @@
saveCompletedIdentifiersOffThread();
}
+ public boolean isEnabled(ToadletContext ctx) {
+ return (!container.publicGatewayMode()) ||
ctx.isAllowedFullAccess();
+ }
+
}
Modified: trunk/freenet/src/freenet/clients/http/SimpleToadletServer.java
===================================================================
--- trunk/freenet/src/freenet/clients/http/SimpleToadletServer.java
2008-12-11 22:41:26 UTC (rev 24206)
+++ trunk/freenet/src/freenet/clients/http/SimpleToadletServer.java
2008-12-11 22:53:08 UTC (rev 24207)
@@ -65,6 +65,7 @@
// ACL
private final AllowedHosts allowedFullAccess;
+ private boolean publicGatewayMode;
// Theme
private THEME cssTheme;
@@ -366,6 +367,21 @@
}
});
+ fproxyConfig.register("publicGatewayMode", false,
configItemOrder++, true, true, "SimpleToadletServer.publicGatewayMode",
"SimpleToadletServer.publicGatewayModeLong", new BooleanCallback() {
+
+ @Override
+ public Boolean get() {
+ return publicGatewayMode;
+ }
+
+ @Override
+ public void set(Boolean val) throws
InvalidConfigValueException, NodeNeedRestartException {
+ publicGatewayMode = val;
+ }
+
+ });
+ publicGatewayMode =
fproxyConfig.getBoolean("publicGatewayMode");
+
// This is OFF BY DEFAULT because for example firefox has a
limit of 2 persistent
// connections per server, but 8 non-persistent connections per
server. We need 8 conns
// more than we need the efficiency gain of reusing connections
- especially on first
@@ -515,6 +531,10 @@
return doRobots;
}
+ public boolean publicGatewayMode() {
+ return publicGatewayMode;
+ }
+
public void start() {
if(myThread != null) try {
maybeGetNetworkInterface();
Modified: trunk/freenet/src/freenet/clients/http/ToadletContainer.java
===================================================================
--- trunk/freenet/src/freenet/clients/http/ToadletContainer.java
2008-12-11 22:41:26 UTC (rev 24206)
+++ trunk/freenet/src/freenet/clients/http/ToadletContainer.java
2008-12-11 22:53:08 UTC (rev 24207)
@@ -56,4 +56,10 @@
/** Can we deal with POSTs yet? */
public boolean allowPosts();
+
+ /** Is public-gateway mode enabled?
+ * If so, users with full access will still be able to configure the
+ * node etc, but everyone else will not have access to the download
+ * queue or anything else that might conceivably result in a DoS. */
+ public boolean publicGatewayMode();
}
Modified: trunk/freenet/src/freenet/clients/http/ToadletContextImpl.java
===================================================================
--- trunk/freenet/src/freenet/clients/http/ToadletContextImpl.java
2008-12-11 22:41:26 UTC (rev 24206)
+++ trunk/freenet/src/freenet/clients/http/ToadletContextImpl.java
2008-12-11 22:53:08 UTC (rev 24207)
@@ -325,7 +325,8 @@
sendError(sock.getOutputStream(), 400, "Bad Request",
l10n("cannotParseContentLengthWithError", "error", e.toString()), true, null);
return;
}
- if(allowPost) {
+ if(allowPost &&
((!container.publicGatewayMode()) || ctx.isAllowedFullAccess())) {
+
data = bf.makeBucket(len);
BucketTools.copyFrom(data, is, len);
} else {
Modified: trunk/freenet/src/freenet/l10n/freenet.l10n.en.properties
===================================================================
--- trunk/freenet/src/freenet/l10n/freenet.l10n.en.properties 2008-12-11
22:41:26 UTC (rev 24206)
+++ trunk/freenet/src/freenet/l10n/freenet.l10n.en.properties 2008-12-11
22:53:08 UTC (rev 24207)
@@ -1151,6 +1151,8 @@
SimpleToadletServer.passthroughMaxSizeLong=Maximum size of a file for
transparent pass-through in fproxy
SimpleToadletServer.port=FProxy port
SimpleToadletServer.portLong=The TCP port FProxy should listen on
+SimpleToadletServer.publicGatewayMode=Public gateway mode?
+SimpleToadletServer.publicGatewayModeLong=Should we enable public gateway
mode? For IPs which are allowed to access the node, but are not allowed full
access, this option disables the download queue and anything else that might
conceivably be abused to attack the node, while still allowing browsing
freesites. IP addresses with full access will be allowed to configure the node.
SimpleToadletServer.ssl=Enable SSL?
SimpleToadletServer.sslLong=Enable SSL on FProxy
SSL.enable=Activate SSL support?
_______________________________________________
cvs mailing list
[email protected]
http://emu.freenetproject.org/cgi-bin/mailman/listinfo/cvs
