Make private services forbid llHTTPRequest() calls by rejecting those that have the X-SecondLife-Shard header.

If you need to enable this, set AllowHttpRequestIn = true in [Network] for all private services or individual [*Service] sections.

1 files changed, 15 insertions, 3 deletions

diff --git a/OpenSim/Framework/ServiceAuth/ServiceAuth.cs b/OpenSim/Framework/ServiceAuth/ServiceAuth.cs
index 5ab613b..30f5bd6 100644
--- a/OpenSim/Framework/ServiceAuth/ServiceAuth.cs
+++ b/OpenSim/Framework/ServiceAuth/ServiceAuth.cs
@@ -36,15 +36,27 @@ namespace OpenSim.Framework.ServiceAuth
     {
         public static IServiceAuth Create(IConfigSource config, string section)
         {
+            CompoundAuthentication compoundAuth = new CompoundAuthentication();
+
+            bool allowLlHttpRequestIn
+                = Util.GetConfigVarFromSections<bool>(config, "AllowllHTTPRequestIn", new string[] { "Network", section }, false);
+
+            if (!allowLlHttpRequestIn)
+                compoundAuth.AddAuthenticator(new DisallowLlHttpRequest());
+
             string authType = Util.GetConfigVarFromSections<string>(config, "AuthType", new string[] { "Network", section }, "None");
 
             switch (authType)
             {
                 case "BasicHttpAuthentication":
-                    return new BasicHttpAuthentication(config, section);
+                    compoundAuth.AddAuthenticator(new BasicHttpAuthentication(config, section));
+                    break;
             }
 
-            return null;
+            if (compoundAuth.Count > 0)
+                return compoundAuth;
+            else
+                return null;
         }
     }
-}
+}
\ No newline at end of file