aboutsummaryrefslogtreecommitdiffstatshomepage
path: root/bin
diff options
context:
space:
mode:
authorJustin Clark-Casey (justincc)2015-03-04 17:43:00 +0000
committerJustin Clark-Casey (justincc)2015-03-04 18:27:50 +0000
commit7d3bafd5abf22f5c1ea3c3d8918d9b8177693bda (patch)
treee50126a4e6c23ac747bf0842774538dc731d2d85 /bin
parentusability fixes for LSL API (diff)
downloadopensim-SC-7d3bafd5abf22f5c1ea3c3d8918d9b8177693bda.zip
opensim-SC-7d3bafd5abf22f5c1ea3c3d8918d9b8177693bda.tar.gz
opensim-SC-7d3bafd5abf22f5c1ea3c3d8918d9b8177693bda.tar.bz2
opensim-SC-7d3bafd5abf22f5c1ea3c3d8918d9b8177693bda.tar.xz
Add outbound URL filter to llHttpRequest() and osSetDynamicTextureURL*() script functions.
This is to address an issue where HTTP script functions could make calls to localhost and other endpoints inside the simulator's LAN. By default, calls to all private addresses are now blocked as per http://en.wikipedia.org/wiki/Reserved_IP_addresses If you require exceptions to this, configure [Network] OutboundDisallowForUserScriptsExcept in OpenSim.ini
Diffstat (limited to '')
-rw-r--r--bin/LukeSkywalker.IPNetwork.dllbin0 -> 18432 bytes
-rw-r--r--bin/OpenSim.ini.example26
-rw-r--r--bin/OpenSimDefaults.ini20
3 files changed, 46 insertions, 0 deletions
diff --git a/bin/LukeSkywalker.IPNetwork.dll b/bin/LukeSkywalker.IPNetwork.dll
new file mode 100644
index 0000000..25bcc2f
--- /dev/null
+++ b/bin/LukeSkywalker.IPNetwork.dll
Binary files differ
diff --git a/bin/OpenSim.ini.example b/bin/OpenSim.ini.example
index 1b5a4af..ebc0ff6 100644
--- a/bin/OpenSim.ini.example
+++ b/bin/OpenSim.ini.example
@@ -486,6 +486,32 @@
486 ;; the region ports use UDP. 486 ;; the region ports use UDP.
487 ; http_listener_port = 9000 487 ; http_listener_port = 9000
488 488
489 ; By default, OpenSimulator does not allow scripts to make HTTP calls to addresses on the simulator's LAN.
490 ; See the OutboundDisallowForUserScripts parameter in OpenSimDefaults.ini for more information on this filter.
491 ; If you need to allow scripts to make some LAN calls use the OutboundDisallowForUserScriptsExcept parameter below.
492 ; We recommend that you do not override OutboundDisallowForUserScripts directly unless you are very sure about what you're doing.
493 ;
494 ; You can whitelist individual endpoints by IP or FQDN, e.g.
495 ;
496 ; OutboundDisallowForUserScriptsExcept = 192.168.1.3:8003
497 ;
498 ; You can specify multiple addresses by separating them with a bar. For example,
499 ;
500 ; OutboundDisallowForUserScriptsExcept = 192.168.1.3:8003|myinternalserver:8000
501 ;
502 ; If an address if given without a port number then port 80 is assumed
503 ;
504 ; You can also specify a network range in CIDR notation to whitelist, e.g.
505 ;
506 ; OutboundDisallowForUserScriptsExcept = 192.168.1.0/24
507 ;
508 ; to whitelist all ports on addresses 192.168.1.0 to 192.168.1.255
509 ; To specify an individual IP address use the /32 netmask
510 ;
511 ; OutboundDisallowForUserScriptsExcept = 192.168.1.2/32
512 ;
513 ; See http://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing#CIDR_notation for more information on CIDR notation
514
489 ;# {ExternalHostNameForLSL} {} {Hostname to use for HTTP-IN URLs. This should be reachable from the internet.} {} 515 ;# {ExternalHostNameForLSL} {} {Hostname to use for HTTP-IN URLs. This should be reachable from the internet.} {}
490 ;; Hostname to use in llRequestURL/llRequestSecureURL 516 ;; Hostname to use in llRequestURL/llRequestSecureURL
491 ;; if not defined - default machine name is being used 517 ;; if not defined - default machine name is being used
diff --git a/bin/OpenSimDefaults.ini b/bin/OpenSimDefaults.ini
index 4faf7f3..af37ccc 100644
--- a/bin/OpenSimDefaults.ini
+++ b/bin/OpenSimDefaults.ini
@@ -492,6 +492,26 @@
492 ; (on Windows this mean NETBIOS name - useably only inside local network) 492 ; (on Windows this mean NETBIOS name - useably only inside local network)
493 ; ExternalHostNameForLSL=127.0.0.1 493 ; ExternalHostNameForLSL=127.0.0.1
494 494
495 ; Disallow the following address ranges for user scripting calls (e.g. llHttpRequest())
496 ; This is based on http://en.wikipedia.org/wiki/Reserved_IP_addresses
497 ; This stops users making HTTP calls to machines in the simulator's local network.
498 ; If you need to allow some LAN calls we recommend you use OutboundDisallowForUserScriptsExcept documented in OpenSim.ini.example
499 ; If you override OutboundDisallowForUserScripts directly you need to be very careful.
500 ;
501 ; Network ranges are specified in CIDR notation (http://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing#CIDR_notation) with multiple entries separated by |
502 ; To specify an individual IP address use the /32 netmask (e.g. 192.168.1.3/32)
503 ; You can also specify individual <addr>:<port> endpoints (e.g. 192.168.1.3:8003)
504 ; If an address if given without a port number then port 80 is assumed.
505 OutboundDisallowForUserScripts = 0.0.0.0/8|10.0.0.0/8|100.64.0.0/10|127.0.0.0/8|169.254.0.0/16|172.16.0.0/12|192.0.0.0/24|192.0.2.0/24|192.88.99.0/24|192.168.0.0/16|198.18.0.0/15|198.51.100.0/24|203.0.113.0/24|224.0.0.0/4|240.0.0.0/4|255.255.255.255/32
506 ;
507 ; You can also prevent all user script outgoing calls with the following override in OpenSim.ini
508 ;
509 ; OutboundDisallowForUserScripts = 0.0.0.0/0
510 ;
511 ; You can also disable the blacklist entirely with an empty entry
512 ;
513 ; OutboundDisallowForUserScripts = ""
514
495 ; What is reported as the "X-Secondlife-Shard" 515 ; What is reported as the "X-Secondlife-Shard"
496 ; Defaults to the user server url if not set 516 ; Defaults to the user server url if not set
497 ; The old default is "OpenSim", set here for compatibility 517 ; The old default is "OpenSim", set here for compatibility