aboutsummaryrefslogtreecommitdiffstatshomepage
path: root/OpenSim/Framework/UntrustedWebRequest.cs
diff options
context:
space:
mode:
Diffstat (limited to 'OpenSim/Framework/UntrustedWebRequest.cs')
-rw-r--r--OpenSim/Framework/UntrustedWebRequest.cs230
1 files changed, 230 insertions, 0 deletions
diff --git a/OpenSim/Framework/UntrustedWebRequest.cs b/OpenSim/Framework/UntrustedWebRequest.cs
new file mode 100644
index 0000000..e6411cc
--- /dev/null
+++ b/OpenSim/Framework/UntrustedWebRequest.cs
@@ -0,0 +1,230 @@
1/*
2 * Copyright (c) Contributors, http://opensimulator.org/
3 * See CONTRIBUTORS.TXT for a full list of copyright holders.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions are met:
7 * * Redistributions of source code must retain the above copyright
8 * notice, this list of conditions and the following disclaimer.
9 * * Redistributions in binary form must reproduce the above copyright
10 * notice, this list of conditions and the following disclaimer in the
11 * documentation and/or other materials provided with the distribution.
12 * * Neither the name of the OpenSimulator Project nor the
13 * names of its contributors may be used to endorse or promote products
14 * derived from this software without specific prior written permission.
15 *
16 * THIS SOFTWARE IS PROVIDED BY THE DEVELOPERS ``AS IS'' AND ANY
17 * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
18 * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
19 * DISCLAIMED. IN NO EVENT SHALL THE CONTRIBUTORS BE LIABLE FOR ANY
20 * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
21 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
22 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
23 * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
24 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
25 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
26 */
27
28using System;
29using System.Collections.Generic;
30using System.IO;
31using System.Net;
32using System.Net.Security;
33using System.Text;
34using log4net;
35
36namespace OpenSim.Framework
37{
38 /// <summary>
39 /// Used for requests to untrusted endpoints that may potentially be
40 /// malicious
41 /// </summary>
42 public static class UntrustedHttpWebRequest
43 {
44 /// <summary>Setting this to true will allow HTTP connections to localhost</summary>
45 private const bool DEBUG = true;
46
47 private static readonly ILog m_log =
48 LogManager.GetLogger(
49 System.Reflection.MethodBase.GetCurrentMethod().DeclaringType);
50
51 private static readonly ICollection<string> allowableSchemes = new List<string> { "http", "https" };
52
53 /// <summary>
54 /// Creates an HttpWebRequest that is hardened against malicious
55 /// endpoints after ensuring the given Uri is safe to retrieve
56 /// </summary>
57 /// <param name="uri">Web location to request</param>
58 /// <returns>A hardened HttpWebRequest if the uri was determined to be safe</returns>
59 /// <exception cref="ArgumentNullException">If uri is null</exception>
60 /// <exception cref="ArgumentException">If uri is unsafe</exception>
61 public static HttpWebRequest Create(Uri uri)
62 {
63 return Create(uri, DEBUG, 1000 * 5, 1000 * 20, 10);
64 }
65
66 /// <summary>
67 /// Creates an HttpWebRequest that is hardened against malicious
68 /// endpoints after ensuring the given Uri is safe to retrieve
69 /// </summary>
70 /// <param name="uri">Web location to request</param>
71 /// <param name="allowLoopback">True to allow connections to localhost, otherwise false</param>
72 /// <param name="readWriteTimeoutMS">Read write timeout, in milliseconds</param>
73 /// <param name="timeoutMS">Connection timeout, in milliseconds</param>
74 /// <param name="maximumRedirects">Maximum number of allowed redirects</param>
75 /// <returns>A hardened HttpWebRequest if the uri was determined to be safe</returns>
76 /// <exception cref="ArgumentNullException">If uri is null</exception>
77 /// <exception cref="ArgumentException">If uri is unsafe</exception>
78 public static HttpWebRequest Create(Uri uri, bool allowLoopback, int readWriteTimeoutMS, int timeoutMS, int maximumRedirects)
79 {
80 if (uri == null)
81 throw new ArgumentNullException("uri");
82
83 if (!IsUriAllowable(uri, allowLoopback))
84 throw new ArgumentException("Uri " + uri + " was rejected");
85
86 HttpWebRequest httpWebRequest = (HttpWebRequest)HttpWebRequest.Create(uri);
87 httpWebRequest.MaximumAutomaticRedirections = maximumRedirects;
88 httpWebRequest.ReadWriteTimeout = readWriteTimeoutMS;
89 httpWebRequest.Timeout = timeoutMS;
90 httpWebRequest.KeepAlive = false;
91
92 return httpWebRequest;
93 }
94
95 public static string PostToUntrustedUrl(Uri url, string data)
96 {
97 try
98 {
99 byte[] requestData = System.Text.Encoding.UTF8.GetBytes(data);
100
101 HttpWebRequest request = Create(url);
102 request.Method = "POST";
103 request.ContentLength = requestData.Length;
104 request.ContentType = "application/x-www-form-urlencoded";
105
106 using (Stream requestStream = request.GetRequestStream())
107 requestStream.Write(requestData, 0, requestData.Length);
108
109 using (WebResponse response = request.GetResponse())
110 {
111 using (Stream responseStream = response.GetResponseStream())
112 return responseStream.GetStreamString();
113 }
114 }
115 catch (Exception ex)
116 {
117 m_log.Warn("POST to untrusted URL " + url + " failed: " + ex.Message);
118 return null;
119 }
120 }
121
122 public static string GetUntrustedUrl(Uri url)
123 {
124 try
125 {
126 HttpWebRequest request = Create(url);
127
128 using (WebResponse response = request.GetResponse())
129 {
130 using (Stream responseStream = response.GetResponseStream())
131 return responseStream.GetStreamString();
132 }
133 }
134 catch (Exception ex)
135 {
136 m_log.Warn("GET from untrusted URL " + url + " failed: " + ex.Message);
137 return null;
138 }
139 }
140
141 /// <summary>
142 /// Determines whether a URI is allowed based on scheme and host name.
143 /// No requireSSL check is done here
144 /// </summary>
145 /// <param name="allowLoopback">True to allow loopback addresses to be used</param>
146 /// <param name="uri">The URI to test for whether it should be allowed.</param>
147 /// <returns>
148 /// <c>true</c> if [is URI allowable] [the specified URI]; otherwise, <c>false</c>.
149 /// </returns>
150 private static bool IsUriAllowable(Uri uri, bool allowLoopback)
151 {
152 if (!allowableSchemes.Contains(uri.Scheme))
153 {
154 m_log.WarnFormat("Rejecting URL {0} because it uses a disallowed scheme.", uri);
155 return false;
156 }
157
158 // Try to interpret the hostname as an IP address so we can test for internal
159 // IP address ranges. Note that IP addresses can appear in many forms
160 // (e.g. http://127.0.0.1, http://2130706433, http://0x0100007f, http://::1
161 // So we convert them to a canonical IPAddress instance, and test for all
162 // non-routable IP ranges: 10.*.*.*, 127.*.*.*, ::1
163 // Note that Uri.IsLoopback is very unreliable, not catching many of these variants.
164 IPAddress hostIPAddress;
165 if (IPAddress.TryParse(uri.DnsSafeHost, out hostIPAddress))
166 {
167 byte[] addressBytes = hostIPAddress.GetAddressBytes();
168
169 // The host is actually an IP address.
170 switch (hostIPAddress.AddressFamily)
171 {
172 case System.Net.Sockets.AddressFamily.InterNetwork:
173 if (!allowLoopback && (addressBytes[0] == 127 || addressBytes[0] == 10))
174 {
175 m_log.WarnFormat("Rejecting URL {0} because it is a loopback address.", uri);
176 return false;
177 }
178 break;
179 case System.Net.Sockets.AddressFamily.InterNetworkV6:
180 if (!allowLoopback && IsIPv6Loopback(hostIPAddress))
181 {
182 m_log.WarnFormat("Rejecting URL {0} because it is a loopback address.", uri);
183 return false;
184 }
185 break;
186 default:
187 m_log.WarnFormat("Rejecting URL {0} because it does not use an IPv4 or IPv6 address.", uri);
188 return false;
189 }
190 }
191 else
192 {
193 // The host is given by name. We require names to contain periods to
194 // help make sure it's not an internal address.
195 if (!allowLoopback && !uri.Host.Contains("."))
196 {
197 m_log.WarnFormat("Rejecting URL {0} because it does not contain a period in the host name.", uri);
198 return false;
199 }
200 }
201
202 return true;
203 }
204
205 /// <summary>
206 /// Determines whether an IP address is the IPv6 equivalent of "localhost/127.0.0.1".
207 /// </summary>
208 /// <param name="ip">The ip address to check.</param>
209 /// <returns>
210 /// <c>true</c> if this is a loopback IP address; <c>false</c> otherwise.
211 /// </returns>
212 private static bool IsIPv6Loopback(IPAddress ip)
213 {
214 if (ip == null)
215 throw new ArgumentNullException("ip");
216
217 byte[] addressBytes = ip.GetAddressBytes();
218 for (int i = 0; i < addressBytes.Length - 1; i++)
219 {
220 if (addressBytes[i] != 0)
221 return false;
222 }
223
224 if (addressBytes[addressBytes.Length - 1] != 1)
225 return false;
226
227 return true;
228 }
229 }
230}