diff options
Diffstat (limited to 'OpenSim/Framework/UntrustedWebRequest.cs')
-rw-r--r-- | OpenSim/Framework/UntrustedWebRequest.cs | 203 |
1 files changed, 203 insertions, 0 deletions
diff --git a/OpenSim/Framework/UntrustedWebRequest.cs b/OpenSim/Framework/UntrustedWebRequest.cs new file mode 100644 index 0000000..1af7c41 --- /dev/null +++ b/OpenSim/Framework/UntrustedWebRequest.cs | |||
@@ -0,0 +1,203 @@ | |||
1 | using System; | ||
2 | using System.Collections.Generic; | ||
3 | using System.IO; | ||
4 | using System.Net; | ||
5 | using System.Net.Security; | ||
6 | using System.Text; | ||
7 | using log4net; | ||
8 | |||
9 | namespace OpenSim.Framework | ||
10 | { | ||
11 | /// <summary> | ||
12 | /// Used for requests to untrusted endpoints that may potentially be | ||
13 | /// malicious | ||
14 | /// </summary> | ||
15 | public static class UntrustedHttpWebRequest | ||
16 | { | ||
17 | /// <summary>Setting this to true will allow HTTP connections to localhost</summary> | ||
18 | private const bool DEBUG = true; | ||
19 | |||
20 | private static readonly ILog m_log = | ||
21 | LogManager.GetLogger( | ||
22 | System.Reflection.MethodBase.GetCurrentMethod().DeclaringType); | ||
23 | |||
24 | private static readonly ICollection<string> allowableSchemes = new List<string> { "http", "https" }; | ||
25 | |||
26 | /// <summary> | ||
27 | /// Creates an HttpWebRequest that is hardened against malicious | ||
28 | /// endpoints after ensuring the given Uri is safe to retrieve | ||
29 | /// </summary> | ||
30 | /// <param name="uri">Web location to request</param> | ||
31 | /// <returns>A hardened HttpWebRequest if the uri was determined to be safe</returns> | ||
32 | /// <exception cref="ArgumentNullException">If uri is null</exception> | ||
33 | /// <exception cref="ArgumentException">If uri is unsafe</exception> | ||
34 | public static HttpWebRequest Create(Uri uri) | ||
35 | { | ||
36 | return Create(uri, DEBUG, 1000 * 5, 1000 * 20, 10); | ||
37 | } | ||
38 | |||
39 | /// <summary> | ||
40 | /// Creates an HttpWebRequest that is hardened against malicious | ||
41 | /// endpoints after ensuring the given Uri is safe to retrieve | ||
42 | /// </summary> | ||
43 | /// <param name="uri">Web location to request</param> | ||
44 | /// <param name="allowLoopback">True to allow connections to localhost, otherwise false</param> | ||
45 | /// <param name="readWriteTimeoutMS">Read write timeout, in milliseconds</param> | ||
46 | /// <param name="timeoutMS">Connection timeout, in milliseconds</param> | ||
47 | /// <param name="maximumRedirects">Maximum number of allowed redirects</param> | ||
48 | /// <returns>A hardened HttpWebRequest if the uri was determined to be safe</returns> | ||
49 | /// <exception cref="ArgumentNullException">If uri is null</exception> | ||
50 | /// <exception cref="ArgumentException">If uri is unsafe</exception> | ||
51 | public static HttpWebRequest Create(Uri uri, bool allowLoopback, int readWriteTimeoutMS, int timeoutMS, int maximumRedirects) | ||
52 | { | ||
53 | if (uri == null) | ||
54 | throw new ArgumentNullException("uri"); | ||
55 | |||
56 | if (!IsUriAllowable(uri, allowLoopback)) | ||
57 | throw new ArgumentException("Uri " + uri + " was rejected"); | ||
58 | |||
59 | HttpWebRequest httpWebRequest = (HttpWebRequest)HttpWebRequest.Create(uri); | ||
60 | httpWebRequest.MaximumAutomaticRedirections = maximumRedirects; | ||
61 | httpWebRequest.ReadWriteTimeout = readWriteTimeoutMS; | ||
62 | httpWebRequest.Timeout = timeoutMS; | ||
63 | httpWebRequest.KeepAlive = false; | ||
64 | |||
65 | return httpWebRequest; | ||
66 | } | ||
67 | |||
68 | public static string PostToUntrustedUrl(Uri url, string data) | ||
69 | { | ||
70 | try | ||
71 | { | ||
72 | byte[] requestData = System.Text.Encoding.UTF8.GetBytes(data); | ||
73 | |||
74 | HttpWebRequest request = Create(url); | ||
75 | request.Method = "POST"; | ||
76 | request.ContentLength = requestData.Length; | ||
77 | request.ContentType = "application/x-www-form-urlencoded"; | ||
78 | |||
79 | using (Stream requestStream = request.GetRequestStream()) | ||
80 | requestStream.Write(requestData, 0, requestData.Length); | ||
81 | |||
82 | using (WebResponse response = request.GetResponse()) | ||
83 | { | ||
84 | using (Stream responseStream = response.GetResponseStream()) | ||
85 | return responseStream.GetStreamString(); | ||
86 | } | ||
87 | } | ||
88 | catch (Exception ex) | ||
89 | { | ||
90 | m_log.Warn("POST to untrusted URL " + url + " failed: " + ex.Message); | ||
91 | return null; | ||
92 | } | ||
93 | } | ||
94 | |||
95 | public static string GetUntrustedUrl(Uri url) | ||
96 | { | ||
97 | try | ||
98 | { | ||
99 | HttpWebRequest request = Create(url); | ||
100 | |||
101 | using (WebResponse response = request.GetResponse()) | ||
102 | { | ||
103 | using (Stream responseStream = response.GetResponseStream()) | ||
104 | return responseStream.GetStreamString(); | ||
105 | } | ||
106 | } | ||
107 | catch (Exception ex) | ||
108 | { | ||
109 | m_log.Warn("GET from untrusted URL " + url + " failed: " + ex.Message); | ||
110 | return null; | ||
111 | } | ||
112 | } | ||
113 | |||
114 | /// <summary> | ||
115 | /// Determines whether a URI is allowed based on scheme and host name. | ||
116 | /// No requireSSL check is done here | ||
117 | /// </summary> | ||
118 | /// <param name="allowLoopback">True to allow loopback addresses to be used</param> | ||
119 | /// <param name="uri">The URI to test for whether it should be allowed.</param> | ||
120 | /// <returns> | ||
121 | /// <c>true</c> if [is URI allowable] [the specified URI]; otherwise, <c>false</c>. | ||
122 | /// </returns> | ||
123 | private static bool IsUriAllowable(Uri uri, bool allowLoopback) | ||
124 | { | ||
125 | if (!allowableSchemes.Contains(uri.Scheme)) | ||
126 | { | ||
127 | m_log.WarnFormat("Rejecting URL {0} because it uses a disallowed scheme.", uri); | ||
128 | return false; | ||
129 | } | ||
130 | |||
131 | // Try to interpret the hostname as an IP address so we can test for internal | ||
132 | // IP address ranges. Note that IP addresses can appear in many forms | ||
133 | // (e.g. http://127.0.0.1, http://2130706433, http://0x0100007f, http://::1 | ||
134 | // So we convert them to a canonical IPAddress instance, and test for all | ||
135 | // non-routable IP ranges: 10.*.*.*, 127.*.*.*, ::1 | ||
136 | // Note that Uri.IsLoopback is very unreliable, not catching many of these variants. | ||
137 | IPAddress hostIPAddress; | ||
138 | if (IPAddress.TryParse(uri.DnsSafeHost, out hostIPAddress)) | ||
139 | { | ||
140 | byte[] addressBytes = hostIPAddress.GetAddressBytes(); | ||
141 | |||
142 | // The host is actually an IP address. | ||
143 | switch (hostIPAddress.AddressFamily) | ||
144 | { | ||
145 | case System.Net.Sockets.AddressFamily.InterNetwork: | ||
146 | if (!allowLoopback && (addressBytes[0] == 127 || addressBytes[0] == 10)) | ||
147 | { | ||
148 | m_log.WarnFormat("Rejecting URL {0} because it is a loopback address.", uri); | ||
149 | return false; | ||
150 | } | ||
151 | break; | ||
152 | case System.Net.Sockets.AddressFamily.InterNetworkV6: | ||
153 | if (!allowLoopback && IsIPv6Loopback(hostIPAddress)) | ||
154 | { | ||
155 | m_log.WarnFormat("Rejecting URL {0} because it is a loopback address.", uri); | ||
156 | return false; | ||
157 | } | ||
158 | break; | ||
159 | default: | ||
160 | m_log.WarnFormat("Rejecting URL {0} because it does not use an IPv4 or IPv6 address.", uri); | ||
161 | return false; | ||
162 | } | ||
163 | } | ||
164 | else | ||
165 | { | ||
166 | // The host is given by name. We require names to contain periods to | ||
167 | // help make sure it's not an internal address. | ||
168 | if (!allowLoopback && !uri.Host.Contains(".")) | ||
169 | { | ||
170 | m_log.WarnFormat("Rejecting URL {0} because it does not contain a period in the host name.", uri); | ||
171 | return false; | ||
172 | } | ||
173 | } | ||
174 | |||
175 | return true; | ||
176 | } | ||
177 | |||
178 | /// <summary> | ||
179 | /// Determines whether an IP address is the IPv6 equivalent of "localhost/127.0.0.1". | ||
180 | /// </summary> | ||
181 | /// <param name="ip">The ip address to check.</param> | ||
182 | /// <returns> | ||
183 | /// <c>true</c> if this is a loopback IP address; <c>false</c> otherwise. | ||
184 | /// </returns> | ||
185 | private static bool IsIPv6Loopback(IPAddress ip) | ||
186 | { | ||
187 | if (ip == null) | ||
188 | throw new ArgumentNullException("ip"); | ||
189 | |||
190 | byte[] addressBytes = ip.GetAddressBytes(); | ||
191 | for (int i = 0; i < addressBytes.Length - 1; i++) | ||
192 | { | ||
193 | if (addressBytes[i] != 0) | ||
194 | return false; | ||
195 | } | ||
196 | |||
197 | if (addressBytes[addressBytes.Length - 1] != 1) | ||
198 | return false; | ||
199 | |||
200 | return true; | ||
201 | } | ||
202 | } | ||
203 | } | ||