aboutsummaryrefslogtreecommitdiffstatshomepage
path: root/OpenSim/Grid/InventoryServer/Main.cs
diff options
context:
space:
mode:
authorJohan Berntsson2008-07-23 06:59:02 +0000
committerJohan Berntsson2008-07-23 06:59:02 +0000
commit344c9caeb671f3d9dab80f05d18a7dc9f3075bc1 (patch)
tree2c4d9fdd3d63384f009307f63eb6e0646e054593 /OpenSim/Grid/InventoryServer/Main.cs
parentEnable LSL <-> C# source location mapping when reporing compiler errors to th... (diff)
downloadopensim-SC-344c9caeb671f3d9dab80f05d18a7dc9f3075bc1.zip
opensim-SC-344c9caeb671f3d9dab80f05d18a7dc9f3075bc1.tar.gz
opensim-SC-344c9caeb671f3d9dab80f05d18a7dc9f3075bc1.tar.bz2
opensim-SC-344c9caeb671f3d9dab80f05d18a7dc9f3075bc1.tar.xz
thanks lulurun for a security patch that blocks unathorized access to the inventory server (see http://opensimulator.org/wiki/Security_vulnerability_brought_by_non-check_inventory_service)
Diffstat (limited to '')
-rw-r--r--OpenSim/Grid/InventoryServer/Main.cs39
1 files changed, 20 insertions, 19 deletions
diff --git a/OpenSim/Grid/InventoryServer/Main.cs b/OpenSim/Grid/InventoryServer/Main.cs
index 2ab1916..138aa1a 100644
--- a/OpenSim/Grid/InventoryServer/Main.cs
+++ b/OpenSim/Grid/InventoryServer/Main.cs
@@ -70,7 +70,8 @@ namespace OpenSim.Grid.InventoryServer
70 70
71 m_config = new InventoryConfig(LogName, (Path.Combine(Util.configDir(), "InventoryServer_Config.xml"))); 71 m_config = new InventoryConfig(LogName, (Path.Combine(Util.configDir(), "InventoryServer_Config.xml")));
72 72
73 m_inventoryService = new GridInventoryService(); 73 //m_inventoryService = new GridInventoryService();
74 m_inventoryService = new GridInventoryService(m_config.UserServerURL);
74 m_inventoryService.AddPlugin(m_config.DatabaseProvider, m_config.DatabaseConnect); 75 m_inventoryService.AddPlugin(m_config.DatabaseProvider, m_config.DatabaseConnect);
75 76
76 m_log.Info("[" + LogName + "]: Starting HTTP server ..."); 77 m_log.Info("[" + LogName + "]: Starting HTTP server ...");
@@ -85,36 +86,36 @@ namespace OpenSim.Grid.InventoryServer
85 protected void AddHttpHandlers() 86 protected void AddHttpHandlers()
86 { 87 {
87 m_httpServer.AddStreamHandler( 88 m_httpServer.AddStreamHandler(
88 new RestDeserialiseHandler<Guid, InventoryCollection>( 89 new RestDeserialiseSecureHandler<Guid, InventoryCollection>(
89 "POST", "/GetInventory/", m_inventoryService.GetUserInventory)); 90 "POST", "/GetInventory/", m_inventoryService.GetUserInventory, m_inventoryService.CheckAuthSession));
90 91
91 m_httpServer.AddStreamHandler( 92 m_httpServer.AddStreamHandler(
92 new RestDeserialiseHandler<Guid, bool>( 93 new RestDeserialiseTrustedHandler<Guid, bool>(
93 "POST", "/CreateInventory/", m_inventoryService.CreateUsersInventory)); 94 "POST", "/CreateInventory/", m_inventoryService.CreateUsersInventory, m_inventoryService.CheckTrustSource));
94 95
95 m_httpServer.AddStreamHandler( 96 m_httpServer.AddStreamHandler(
96 new RestDeserialiseHandler<InventoryFolderBase, bool>( 97 new RestDeserialiseSecureHandler<InventoryFolderBase, bool>(
97 "POST", "/NewFolder/", m_inventoryService.AddFolder)); 98 "POST", "/NewFolder/", m_inventoryService.AddFolder, m_inventoryService.CheckAuthSession));
98 99
99 m_httpServer.AddStreamHandler( 100 m_httpServer.AddStreamHandler(
100 new RestDeserialiseHandler<InventoryFolderBase, bool>( 101 new RestDeserialiseSecureHandler<InventoryFolderBase, bool>(
101 "POST", "/UpdateFolder/", m_inventoryService.UpdateFolder)); 102 "POST", "/UpdateFolder/", m_inventoryService.UpdateFolder, m_inventoryService.CheckAuthSession));
102 103
103 m_httpServer.AddStreamHandler( 104 m_httpServer.AddStreamHandler(
104 new RestDeserialiseHandler<InventoryFolderBase, bool>( 105 new RestDeserialiseSecureHandler<InventoryFolderBase, bool>(
105 "POST", "/MoveFolder/", m_inventoryService.MoveFolder)); 106 "POST", "/MoveFolder/", m_inventoryService.MoveFolder, m_inventoryService.CheckAuthSession));
106 107
107 m_httpServer.AddStreamHandler( 108 m_httpServer.AddStreamHandler(
108 new RestDeserialiseHandler<InventoryFolderBase, bool>( 109 new RestDeserialiseSecureHandler<InventoryFolderBase, bool>(
109 "POST", "/PurgeFolder/", m_inventoryService.PurgeFolder)); 110 "POST", "/PurgeFolder/", m_inventoryService.PurgeFolder, m_inventoryService.CheckAuthSession));
110 111
111 m_httpServer.AddStreamHandler( 112 m_httpServer.AddStreamHandler(
112 new RestDeserialiseHandler<InventoryItemBase, bool>( 113 new RestDeserialiseSecureHandler<InventoryItemBase, bool>(
113 "POST", "/NewItem/", m_inventoryService.AddItem)); 114 "POST", "/NewItem/", m_inventoryService.AddItem, m_inventoryService.CheckAuthSession));
114 115
115 m_httpServer.AddStreamHandler( 116 m_httpServer.AddStreamHandler(
116 new RestDeserialiseHandler<InventoryItemBase, bool>( 117 new RestDeserialiseSecureHandler<InventoryItemBase, bool>(
117 "POST", "/DeleteItem/", m_inventoryService.DeleteItem)); 118 "POST", "/DeleteItem/", m_inventoryService.DeleteItem, m_inventoryService.CheckAuthSession));
118 119
119 // WARNING: Root folders no longer just delivers the root and immediate child folders (e.g 120 // WARNING: Root folders no longer just delivers the root and immediate child folders (e.g
120 // system folders such as Objects, Textures), but it now returns the entire inventory skeleton. 121 // system folders such as Objects, Textures), but it now returns the entire inventory skeleton.
@@ -122,8 +123,8 @@ namespace OpenSim.Grid.InventoryServer
122 // (e.g. any http request not found is automatically treated as an xmlrpc request) make it easier 123 // (e.g. any http request not found is automatically treated as an xmlrpc request) make it easier
123 // to do this for now. 124 // to do this for now.
124 m_httpServer.AddStreamHandler( 125 m_httpServer.AddStreamHandler(
125 new RestDeserialiseHandler<Guid, List<InventoryFolderBase>> 126 new RestDeserialiseTrustedHandler<Guid, List<InventoryFolderBase>>
126 ("POST", "/RootFolders/", m_inventoryService.GetInventorySkeleton)); 127 ("POST", "/RootFolders/", m_inventoryService.GetInventorySkeleton, m_inventoryService.CheckTrustSource));
127 } 128 }
128 129
129 private void Work() 130 private void Work()