diff options
Adds session authentication upon NewUserConnections. Adds user key authentication (in safemode only) upon CreateChildAgents. All of this for Hypergrid users too. This addresses assorted spoofing vulnerabilities.
Diffstat (limited to '')
-rw-r--r-- | OpenSim/Framework/Communications/Services/LoginService.cs | 46 |
1 files changed, 46 insertions, 0 deletions
diff --git a/OpenSim/Framework/Communications/Services/LoginService.cs b/OpenSim/Framework/Communications/Services/LoginService.cs index d9556e4..d491309 100644 --- a/OpenSim/Framework/Communications/Services/LoginService.cs +++ b/OpenSim/Framework/Communications/Services/LoginService.cs | |||
@@ -37,6 +37,7 @@ using log4net; | |||
37 | using Nwc.XmlRpc; | 37 | using Nwc.XmlRpc; |
38 | using OpenMetaverse; | 38 | using OpenMetaverse; |
39 | using OpenMetaverse.StructuredData; | 39 | using OpenMetaverse.StructuredData; |
40 | using OpenSim.Framework; | ||
40 | using OpenSim.Framework.Communications.Cache; | 41 | using OpenSim.Framework.Communications.Cache; |
41 | using OpenSim.Framework.Statistics; | 42 | using OpenSim.Framework.Statistics; |
42 | 43 | ||
@@ -194,6 +195,12 @@ namespace OpenSim.Framework.Communications.Services | |||
194 | 195 | ||
195 | CreateAgent(userProfile, request); | 196 | CreateAgent(userProfile, request); |
196 | 197 | ||
198 | // We need to commit the agent right here, even though the userProfile info is not complete | ||
199 | // at this point. There is another commit further down. | ||
200 | // This is for the new sessionID to be stored so that the region can check it for session authentication. | ||
201 | // CustomiseResponse->PrepareLoginToRegion | ||
202 | CommitAgent(ref userProfile); | ||
203 | |||
197 | try | 204 | try |
198 | { | 205 | { |
199 | UUID agentID = userProfile.ID; | 206 | UUID agentID = userProfile.ID; |
@@ -1108,5 +1115,44 @@ namespace OpenSim.Framework.Communications.Services | |||
1108 | { | 1115 | { |
1109 | return false; | 1116 | return false; |
1110 | } | 1117 | } |
1118 | |||
1119 | public XmlRpcResponse XmlRPCCheckAuthSession(XmlRpcRequest request) | ||
1120 | { | ||
1121 | XmlRpcResponse response = new XmlRpcResponse(); | ||
1122 | Hashtable requestData = (Hashtable)request.Params[0]; | ||
1123 | |||
1124 | string authed = "FALSE"; | ||
1125 | if (requestData.Contains("avatar_uuid") && requestData.Contains("session_id")) | ||
1126 | { | ||
1127 | UUID guess_aid; | ||
1128 | UUID guess_sid; | ||
1129 | |||
1130 | UUID.TryParse((string)requestData["avatar_uuid"], out guess_aid); | ||
1131 | if (guess_aid == UUID.Zero) | ||
1132 | { | ||
1133 | return Util.CreateUnknownUserErrorResponse(); | ||
1134 | } | ||
1135 | UUID.TryParse((string)requestData["session_id"], out guess_sid); | ||
1136 | if (guess_sid == UUID.Zero) | ||
1137 | { | ||
1138 | return Util.CreateUnknownUserErrorResponse(); | ||
1139 | } | ||
1140 | if (m_userManager.VerifySession(guess_aid, guess_sid)) | ||
1141 | { | ||
1142 | authed = "TRUE"; | ||
1143 | } | ||
1144 | m_log.InfoFormat("[UserManager]: CheckAuthSession TRUE for user {0}", guess_aid); | ||
1145 | } | ||
1146 | else | ||
1147 | { | ||
1148 | m_log.InfoFormat("[UserManager]: CheckAuthSession FALSE"); | ||
1149 | return Util.CreateUnknownUserErrorResponse(); | ||
1150 | } | ||
1151 | Hashtable responseData = new Hashtable(); | ||
1152 | responseData["auth_session"] = authed; | ||
1153 | response.Value = responseData; | ||
1154 | return response; | ||
1155 | } | ||
1156 | |||
1111 | } | 1157 | } |
1112 | } | 1158 | } |