${lang("usererror.htmltitle")}

From 05242a81b950eb819576c8075b8f27025c6aedba Mon Sep 17 00:00:00 2001 From: idfx Date: Sat, 20 Apr 2002 14:36:31 +0000 Subject: [PATCH] because of heavy-spam-attacks to indymedia.de i added a one-time-password-protection, it can be switched on and off by editing config.properties -> config.properties has to be updated before compilation. todo: create an image with the password-string --- source/config.properties-dist | 3 + source/mir/servlet/AbstractServlet.java | 1 + .../mircoders/servlet/ServletModuleOpenIndy.java | 83 ++++++++++++++++++---- templates-dist/open/comment.template | 5 ++ templates-dist/open/posting.template | 6 +- templates-dist/usererror.template | 2 +- 6 files changed, 86 insertions(+), 14 deletions(-) diff --git a/source/config.properties-dist b/source/config.properties-dist index b622cbc0..66534e40 100755 --- a/source/config.properties-dist +++ b/source/config.properties-dist @@ -44,6 +44,9 @@ DirectOpenposting=yes GenerateFO=yes GeneratePDF=yes +#on-time-password-protection +PasswdProtection=yes + #use rsync to mirror the website to a remote-host Rsync=no Rsync.Script.Path=/var/www/bin/rsync-copy diff --git a/source/mir/servlet/AbstractServlet.java b/source/mir/servlet/AbstractServlet.java index 82b6aa42..f81b4d8d 100755 --- a/source/mir/servlet/AbstractServlet.java +++ b/source/mir/servlet/AbstractServlet.java @@ -10,6 +10,7 @@ import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpSession; import java.util.Locale; +import java.util.Random; /** * Title: Mir diff --git a/source/mircoders/servlet/ServletModuleOpenIndy.java b/source/mircoders/servlet/ServletModuleOpenIndy.java index c4035bd0..4148b353 100755 --- a/source/mircoders/servlet/ServletModuleOpenIndy.java +++ b/source/mircoders/servlet/ServletModuleOpenIndy.java @@ -45,7 +45,7 @@ public class ServletModuleOpenIndy extends ServletModule private ModuleImages imageModule; private ModuleTopics themenModule; private String directOp ="yes"; - + private String passwdProtection ="yes"; // Singelton / Kontruktor private static ServletModuleOpenIndy instance = new ServletModuleOpenIndy(); public static ServletModule getInstance() { return instance; } @@ -60,11 +60,13 @@ public class ServletModuleOpenIndy extends ServletModule postingFormDoneTemplate = MirConfig.getProp("ServletModule.OpenIndy.PostingDoneTemplate"); postingFormDupeTemplate = MirConfig.getProp("ServletModule.OpenIndy.PostingDupeTemplate"); directOp = MirConfig.getProp("DirectOpenposting").toLowerCase(); + passwdProtection = MirConfig.getProp("PasswdProtection").toLowerCase(); mainModule = new ModuleComment(DatabaseComment.getInstance()); contentModule = new ModuleContent(DatabaseContent.getInstance()); themenModule = new ModuleTopics(DatabaseTopics.getInstance()); imageModule = new ModuleImages(DatabaseImages.getInstance()); defaultAction="addposting"; + } catch (StorageObjectException e) { theLog.printError("servletmoduleopenindy could not be initialized"); @@ -81,8 +83,17 @@ public class ServletModuleOpenIndy extends ServletModule String aid = req.getParameter("aid"); // the article id the comment will belong to if (aid!=null && !aid.equals("")) { - SimpleHash mergeData = new SimpleHash(); - // ok, article + SimpleHash mergeData = new SimpleHash(); + + // onetimepasswd + if(passwdProtection.equals("yes")){ + String passwd = this.createOneTimePasswd(); + System.out.println(passwd); + HttpSession session = req.getSession(false); + session.setAttribute("passwd",passwd); + mergeData.put("passwd", passwd); + } + mergeData.put("aid", aid); deliver(req, res, mergeData, commentFormTemplate); } @@ -94,7 +105,8 @@ public class ServletModuleOpenIndy extends ServletModule * the commentDone Page */ - public void inscomment(HttpServletRequest req, HttpServletResponse res) throws ServletModuleException + public void inscomment(HttpServletRequest req, HttpServletResponse res) + throws ServletModuleException,ServletModuleUserException { String aid = req.getParameter("to_media"); // the article id the comment will belong to if (aid!=null && !aid.equals("")) @@ -111,7 +123,21 @@ public class ServletModuleOpenIndy extends ServletModule withValues.put(k,StringUtil.removeHTMLTags(v)); } withValues.put("is_published","1"); - + + //checking the onetimepasswd + if(passwdProtection.equals("yes")){ + HttpSession session = req.getSession(false); + String sessionPasswd = (String)session.getAttribute("passwd"); + if ( sessionPasswd == null){ + throw new ServletModuleUserException("Lost password"); + } + String passwd = req.getParameter("passwd"); + if ( passwd == null || (!sessionPasswd.equals(passwd))) { + throw new ServletModuleUserException("Missing password"); + } + session.invalidate(); + } + // inserting into database String id = mainModule.add(withValues); theLog.printDebugInfo("id: "+id); @@ -147,6 +173,16 @@ public class ServletModuleOpenIndy extends ServletModule public void addposting(HttpServletRequest req, HttpServletResponse res) throws ServletModuleException { SimpleHash mergeData = new SimpleHash(); + + // onetimepasswd + if(passwdProtection.equals("yes")){ + String passwd = this.createOneTimePasswd(); + System.out.println(passwd); + HttpSession session = req.getSession(false); + session.setAttribute("passwd",passwd); + mergeData.put("passwd", passwd); + } + String maxMedia = MirConfig.getProp("ServletModule.OpenIndy.MaxMediaUploadItems"); String numOfMedia = req.getParameter("medianum"); if(numOfMedia==null||numOfMedia.equals("")){ @@ -166,7 +202,6 @@ public class ServletModuleOpenIndy extends ServletModule SimpleHash extraInfo = new SimpleHash(); - /** @todo popups missing */ try{ SimpleList popUpData = DatabaseLanguage.getInstance().getPopupData(); extraInfo.put("languagePopUpData", popUpData ); @@ -175,7 +210,7 @@ public class ServletModuleOpenIndy extends ServletModule theLog.printError("languagePopUpData or getTopicslist failed " +e.toString()); throw new ServletModuleException("OpenIndy -- failed getting language or topics: "+e.toString()); - } + } deliver(req, res, mergeData, extraInfo, postingFormTemplate); } @@ -196,6 +231,20 @@ public class ServletModuleOpenIndy extends ServletModule WebdbMultipartRequest mp = new WebdbMultipartRequest(req); HashMap withValues = mp.getParameters(); + + //checking the onetimepasswd + if(passwdProtection.equals("yes")){ + HttpSession session = req.getSession(false); + String sessionPasswd = (String)session.getAttribute("passwd"); + if ( sessionPasswd == null){ + throw new ServletModuleUserException("Lost password"); + } + String passwd = (String)withValues.get("passwd"); + if ( passwd == null || (!sessionPasswd.equals(passwd))) { + throw new ServletModuleUserException("Missing password"); + } + session.invalidate(); + } if ((((String)withValues.get("title")).length() == 0) || (((String)withValues.get("description")).length() == 0) || @@ -284,7 +333,7 @@ public class ServletModuleOpenIndy extends ServletModule * This is a way to get the content-type via the .extension, * we could maybe use a magic method as an additional method of * figuring out the content-type, by looking at the header (first - * few bytes) of the file. (like the file(1) command). We could + * few bytes) of the file. (like the file(1) command). We could * also call the "file" command through Runtime. This is an * option that I almost prefer as it is already implemented and * exists with an up-to-date map on most modern Unix like systems. @@ -292,14 +341,14 @@ public class ServletModuleOpenIndy extends ServletModule * in pure java yet. * * The first method we try thought is the "Oreilly method". It - * relies on the content-type that the client browser sends and + * relies on the content-type that the client browser sends and * that sometimes is application-octet stream with * broken/mis-configured browsers. * * The map file we use for the extensions is the standard web-app * deployment descriptor file (web.xml). See Mir's web.xml or see * your Servlet containers (most likely Tomcat) documentation. - * So if you support a new media type you have to make sure that + * So if you support a new media type you have to make sure that * it is in this file -mh */ ServletContext ctx = @@ -362,8 +411,8 @@ public class ServletModuleOpenIndy extends ServletModule mediaType = mediaTypesList.elementAt(j); else if ((mediaTypesList.elementAt(j).getValue("mime_type")).equals( cTypeSplit[0]+"/*") ) - mediaType2= mediaTypesList.elementAt(j); - } + mediaType2= mediaTypesList.elementAt(j); + } if ( (mediaType == null) && (mediaType2 == null) ) { contentModule.deleteById(cid); @@ -468,6 +517,16 @@ public class ServletModuleOpenIndy extends ServletModule +", we do not support this mime-type. " +"Error One or more files of unrecognized type. Sorry"); } + + protected String createOneTimePasswd(){ + Random r = new Random(); + int random = r.nextInt(); + long l = System.currentTimeMillis(); + l = (l*l*l*l)/random; + if(l<0) l = l * -1; + String returnString = ""+l; + return returnString.substring(5); + } } diff --git a/templates-dist/open/comment.template b/templates-dist/open/comment.template index 43ab6d9e..7105365c 100755 --- a/templates-dist/open/comment.template +++ b/templates-dist/open/comment.template @@ -16,6 +16,7 @@

${lang("open.comment.note")} +
${data.passwd}

@@ -27,6 +28,10 @@ + Passwort: + + + ${lang("open.comment.title")}: diff --git a/templates-dist/open/posting.template b/templates-dist/open/posting.template index a33d3452..ca3ac7ba 100755 --- a/templates-dist/open/posting.template +++ b/templates-dist/open/posting.template @@ -32,7 +32,7 @@ - +
${data.passwd}

@@ -52,6 +52,10 @@ ${lang("open.posting.form.title")} + + Passwort: + + ${lang("open.posting.title")}:
diff --git a/templates-dist/usererror.template b/templates-dist/usererror.template index 00775afa..594e4dc5 100755 --- a/templates-dist/usererror.template +++ b/templates-dist/usererror.template @@ -3,7 +3,7 @@ ${lang("usererror.htmltitle")} - +

-- 2.11.0