diff options
Diffstat (limited to '')
-rw-r--r-- | OpenSim/Framework/UntrustedWebRequest.cs | 230 |
1 files changed, 230 insertions, 0 deletions
diff --git a/OpenSim/Framework/UntrustedWebRequest.cs b/OpenSim/Framework/UntrustedWebRequest.cs new file mode 100644 index 0000000..e6411cc --- /dev/null +++ b/OpenSim/Framework/UntrustedWebRequest.cs | |||
@@ -0,0 +1,230 @@ | |||
1 | /* | ||
2 | * Copyright (c) Contributors, http://opensimulator.org/ | ||
3 | * See CONTRIBUTORS.TXT for a full list of copyright holders. | ||
4 | * | ||
5 | * Redistribution and use in source and binary forms, with or without | ||
6 | * modification, are permitted provided that the following conditions are met: | ||
7 | * * Redistributions of source code must retain the above copyright | ||
8 | * notice, this list of conditions and the following disclaimer. | ||
9 | * * Redistributions in binary form must reproduce the above copyright | ||
10 | * notice, this list of conditions and the following disclaimer in the | ||
11 | * documentation and/or other materials provided with the distribution. | ||
12 | * * Neither the name of the OpenSimulator Project nor the | ||
13 | * names of its contributors may be used to endorse or promote products | ||
14 | * derived from this software without specific prior written permission. | ||
15 | * | ||
16 | * THIS SOFTWARE IS PROVIDED BY THE DEVELOPERS ``AS IS'' AND ANY | ||
17 | * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED | ||
18 | * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE | ||
19 | * DISCLAIMED. IN NO EVENT SHALL THE CONTRIBUTORS BE LIABLE FOR ANY | ||
20 | * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES | ||
21 | * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; | ||
22 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND | ||
23 | * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT | ||
24 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS | ||
25 | * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | ||
26 | */ | ||
27 | |||
28 | using System; | ||
29 | using System.Collections.Generic; | ||
30 | using System.IO; | ||
31 | using System.Net; | ||
32 | using System.Net.Security; | ||
33 | using System.Text; | ||
34 | using log4net; | ||
35 | |||
36 | namespace OpenSim.Framework | ||
37 | { | ||
38 | /// <summary> | ||
39 | /// Used for requests to untrusted endpoints that may potentially be | ||
40 | /// malicious | ||
41 | /// </summary> | ||
42 | public static class UntrustedHttpWebRequest | ||
43 | { | ||
44 | /// <summary>Setting this to true will allow HTTP connections to localhost</summary> | ||
45 | private const bool DEBUG = true; | ||
46 | |||
47 | private static readonly ILog m_log = | ||
48 | LogManager.GetLogger( | ||
49 | System.Reflection.MethodBase.GetCurrentMethod().DeclaringType); | ||
50 | |||
51 | private static readonly ICollection<string> allowableSchemes = new List<string> { "http", "https" }; | ||
52 | |||
53 | /// <summary> | ||
54 | /// Creates an HttpWebRequest that is hardened against malicious | ||
55 | /// endpoints after ensuring the given Uri is safe to retrieve | ||
56 | /// </summary> | ||
57 | /// <param name="uri">Web location to request</param> | ||
58 | /// <returns>A hardened HttpWebRequest if the uri was determined to be safe</returns> | ||
59 | /// <exception cref="ArgumentNullException">If uri is null</exception> | ||
60 | /// <exception cref="ArgumentException">If uri is unsafe</exception> | ||
61 | public static HttpWebRequest Create(Uri uri) | ||
62 | { | ||
63 | return Create(uri, DEBUG, 1000 * 5, 1000 * 20, 10); | ||
64 | } | ||
65 | |||
66 | /// <summary> | ||
67 | /// Creates an HttpWebRequest that is hardened against malicious | ||
68 | /// endpoints after ensuring the given Uri is safe to retrieve | ||
69 | /// </summary> | ||
70 | /// <param name="uri">Web location to request</param> | ||
71 | /// <param name="allowLoopback">True to allow connections to localhost, otherwise false</param> | ||
72 | /// <param name="readWriteTimeoutMS">Read write timeout, in milliseconds</param> | ||
73 | /// <param name="timeoutMS">Connection timeout, in milliseconds</param> | ||
74 | /// <param name="maximumRedirects">Maximum number of allowed redirects</param> | ||
75 | /// <returns>A hardened HttpWebRequest if the uri was determined to be safe</returns> | ||
76 | /// <exception cref="ArgumentNullException">If uri is null</exception> | ||
77 | /// <exception cref="ArgumentException">If uri is unsafe</exception> | ||
78 | public static HttpWebRequest Create(Uri uri, bool allowLoopback, int readWriteTimeoutMS, int timeoutMS, int maximumRedirects) | ||
79 | { | ||
80 | if (uri == null) | ||
81 | throw new ArgumentNullException("uri"); | ||
82 | |||
83 | if (!IsUriAllowable(uri, allowLoopback)) | ||
84 | throw new ArgumentException("Uri " + uri + " was rejected"); | ||
85 | |||
86 | HttpWebRequest httpWebRequest = (HttpWebRequest)HttpWebRequest.Create(uri); | ||
87 | httpWebRequest.MaximumAutomaticRedirections = maximumRedirects; | ||
88 | httpWebRequest.ReadWriteTimeout = readWriteTimeoutMS; | ||
89 | httpWebRequest.Timeout = timeoutMS; | ||
90 | httpWebRequest.KeepAlive = false; | ||
91 | |||
92 | return httpWebRequest; | ||
93 | } | ||
94 | |||
95 | public static string PostToUntrustedUrl(Uri url, string data) | ||
96 | { | ||
97 | try | ||
98 | { | ||
99 | byte[] requestData = System.Text.Encoding.UTF8.GetBytes(data); | ||
100 | |||
101 | HttpWebRequest request = Create(url); | ||
102 | request.Method = "POST"; | ||
103 | request.ContentLength = requestData.Length; | ||
104 | request.ContentType = "application/x-www-form-urlencoded"; | ||
105 | |||
106 | using (Stream requestStream = request.GetRequestStream()) | ||
107 | requestStream.Write(requestData, 0, requestData.Length); | ||
108 | |||
109 | using (WebResponse response = request.GetResponse()) | ||
110 | { | ||
111 | using (Stream responseStream = response.GetResponseStream()) | ||
112 | return responseStream.GetStreamString(); | ||
113 | } | ||
114 | } | ||
115 | catch (Exception ex) | ||
116 | { | ||
117 | m_log.Warn("POST to untrusted URL " + url + " failed: " + ex.Message); | ||
118 | return null; | ||
119 | } | ||
120 | } | ||
121 | |||
122 | public static string GetUntrustedUrl(Uri url) | ||
123 | { | ||
124 | try | ||
125 | { | ||
126 | HttpWebRequest request = Create(url); | ||
127 | |||
128 | using (WebResponse response = request.GetResponse()) | ||
129 | { | ||
130 | using (Stream responseStream = response.GetResponseStream()) | ||
131 | return responseStream.GetStreamString(); | ||
132 | } | ||
133 | } | ||
134 | catch (Exception ex) | ||
135 | { | ||
136 | m_log.Warn("GET from untrusted URL " + url + " failed: " + ex.Message); | ||
137 | return null; | ||
138 | } | ||
139 | } | ||
140 | |||
141 | /// <summary> | ||
142 | /// Determines whether a URI is allowed based on scheme and host name. | ||
143 | /// No requireSSL check is done here | ||
144 | /// </summary> | ||
145 | /// <param name="allowLoopback">True to allow loopback addresses to be used</param> | ||
146 | /// <param name="uri">The URI to test for whether it should be allowed.</param> | ||
147 | /// <returns> | ||
148 | /// <c>true</c> if [is URI allowable] [the specified URI]; otherwise, <c>false</c>. | ||
149 | /// </returns> | ||
150 | private static bool IsUriAllowable(Uri uri, bool allowLoopback) | ||
151 | { | ||
152 | if (!allowableSchemes.Contains(uri.Scheme)) | ||
153 | { | ||
154 | m_log.WarnFormat("Rejecting URL {0} because it uses a disallowed scheme.", uri); | ||
155 | return false; | ||
156 | } | ||
157 | |||
158 | // Try to interpret the hostname as an IP address so we can test for internal | ||
159 | // IP address ranges. Note that IP addresses can appear in many forms | ||
160 | // (e.g. http://127.0.0.1, http://2130706433, http://0x0100007f, http://::1 | ||
161 | // So we convert them to a canonical IPAddress instance, and test for all | ||
162 | // non-routable IP ranges: 10.*.*.*, 127.*.*.*, ::1 | ||
163 | // Note that Uri.IsLoopback is very unreliable, not catching many of these variants. | ||
164 | IPAddress hostIPAddress; | ||
165 | if (IPAddress.TryParse(uri.DnsSafeHost, out hostIPAddress)) | ||
166 | { | ||
167 | byte[] addressBytes = hostIPAddress.GetAddressBytes(); | ||
168 | |||
169 | // The host is actually an IP address. | ||
170 | switch (hostIPAddress.AddressFamily) | ||
171 | { | ||
172 | case System.Net.Sockets.AddressFamily.InterNetwork: | ||
173 | if (!allowLoopback && (addressBytes[0] == 127 || addressBytes[0] == 10)) | ||
174 | { | ||
175 | m_log.WarnFormat("Rejecting URL {0} because it is a loopback address.", uri); | ||
176 | return false; | ||
177 | } | ||
178 | break; | ||
179 | case System.Net.Sockets.AddressFamily.InterNetworkV6: | ||
180 | if (!allowLoopback && IsIPv6Loopback(hostIPAddress)) | ||
181 | { | ||
182 | m_log.WarnFormat("Rejecting URL {0} because it is a loopback address.", uri); | ||
183 | return false; | ||
184 | } | ||
185 | break; | ||
186 | default: | ||
187 | m_log.WarnFormat("Rejecting URL {0} because it does not use an IPv4 or IPv6 address.", uri); | ||
188 | return false; | ||
189 | } | ||
190 | } | ||
191 | else | ||
192 | { | ||
193 | // The host is given by name. We require names to contain periods to | ||
194 | // help make sure it's not an internal address. | ||
195 | if (!allowLoopback && !uri.Host.Contains(".")) | ||
196 | { | ||
197 | m_log.WarnFormat("Rejecting URL {0} because it does not contain a period in the host name.", uri); | ||
198 | return false; | ||
199 | } | ||
200 | } | ||
201 | |||
202 | return true; | ||
203 | } | ||
204 | |||
205 | /// <summary> | ||
206 | /// Determines whether an IP address is the IPv6 equivalent of "localhost/127.0.0.1". | ||
207 | /// </summary> | ||
208 | /// <param name="ip">The ip address to check.</param> | ||
209 | /// <returns> | ||
210 | /// <c>true</c> if this is a loopback IP address; <c>false</c> otherwise. | ||
211 | /// </returns> | ||
212 | private static bool IsIPv6Loopback(IPAddress ip) | ||
213 | { | ||
214 | if (ip == null) | ||
215 | throw new ArgumentNullException("ip"); | ||
216 | |||
217 | byte[] addressBytes = ip.GetAddressBytes(); | ||
218 | for (int i = 0; i < addressBytes.Length - 1; i++) | ||
219 | { | ||
220 | if (addressBytes[i] != 0) | ||
221 | return false; | ||
222 | } | ||
223 | |||
224 | if (addressBytes[addressBytes.Length - 1] != 1) | ||
225 | return false; | ||
226 | |||
227 | return true; | ||
228 | } | ||
229 | } | ||
230 | } | ||