diff options
Diffstat (limited to 'OpenSim/Region/ScriptEngine/Shared')
-rw-r--r-- | OpenSim/Region/ScriptEngine/Shared/Api/Implementation/LSL_Api.cs | 55 |
1 files changed, 53 insertions, 2 deletions
diff --git a/OpenSim/Region/ScriptEngine/Shared/Api/Implementation/LSL_Api.cs b/OpenSim/Region/ScriptEngine/Shared/Api/Implementation/LSL_Api.cs index b75260b..ce1c364 100644 --- a/OpenSim/Region/ScriptEngine/Shared/Api/Implementation/LSL_Api.cs +++ b/OpenSim/Region/ScriptEngine/Shared/Api/Implementation/LSL_Api.cs | |||
@@ -3315,8 +3315,6 @@ namespace OpenSim.Region.ScriptEngine.Shared.Api | |||
3315 | { | 3315 | { |
3316 | // Unregister controls from Presence | 3316 | // Unregister controls from Presence |
3317 | presence.UnRegisterControlEventsToScript(m_host.LocalId, m_item.ItemID); | 3317 | presence.UnRegisterControlEventsToScript(m_host.LocalId, m_item.ItemID); |
3318 | // Remove Take Control permission. | ||
3319 | m_item.PermsMask &= ~ScriptBaseClass.PERMISSION_TAKE_CONTROLS; | ||
3320 | } | 3318 | } |
3321 | } | 3319 | } |
3322 | } | 3320 | } |
@@ -11471,6 +11469,59 @@ namespace OpenSim.Region.ScriptEngine.Shared.Api | |||
11471 | if (userAgent != null) | 11469 | if (userAgent != null) |
11472 | httpHeaders["User-Agent"] = userAgent; | 11470 | httpHeaders["User-Agent"] = userAgent; |
11473 | 11471 | ||
11472 | // See if the URL contains any header hacks | ||
11473 | string[] urlParts = url.Split(new char[] {'\n'}); | ||
11474 | if (urlParts.Length > 1) | ||
11475 | { | ||
11476 | // Iterate the passed headers and parse them | ||
11477 | for (int i = 1 ; i < urlParts.Length ; i++ ) | ||
11478 | { | ||
11479 | // The rest of those would be added to the body in SL. | ||
11480 | // Let's not do that. | ||
11481 | if (urlParts[i] == String.Empty) | ||
11482 | break; | ||
11483 | |||
11484 | // See if this could be a valid header | ||
11485 | string[] headerParts = urlParts[i].Split(new char[] {':'}, 2); | ||
11486 | if (headerParts.Length != 2) | ||
11487 | continue; | ||
11488 | |||
11489 | string headerName = headerParts[0].Trim(); | ||
11490 | string headerValue = headerParts[1].Trim(); | ||
11491 | |||
11492 | // Filter out headers that could be used to abuse | ||
11493 | // another system or cloak the request | ||
11494 | if (headerName.ToLower() == "x-secondlife-shard" || | ||
11495 | headerName.ToLower() == "x-secondlife-object-name" || | ||
11496 | headerName.ToLower() == "x-secondlife-object-key" || | ||
11497 | headerName.ToLower() == "x-secondlife-region" || | ||
11498 | headerName.ToLower() == "x-secondlife-local-position" || | ||
11499 | headerName.ToLower() == "x-secondlife-local-velocity" || | ||
11500 | headerName.ToLower() == "x-secondlife-local-rotation" || | ||
11501 | headerName.ToLower() == "x-secondlife-owner-name" || | ||
11502 | headerName.ToLower() == "x-secondlife-owner-key" || | ||
11503 | headerName.ToLower() == "connection" || | ||
11504 | headerName.ToLower() == "content-length" || | ||
11505 | headerName.ToLower() == "from" || | ||
11506 | headerName.ToLower() == "host" || | ||
11507 | headerName.ToLower() == "proxy-authorization" || | ||
11508 | headerName.ToLower() == "referer" || | ||
11509 | headerName.ToLower() == "trailer" || | ||
11510 | headerName.ToLower() == "transfer-encoding" || | ||
11511 | headerName.ToLower() == "via" || | ||
11512 | headerName.ToLower() == "authorization") | ||
11513 | continue; | ||
11514 | |||
11515 | httpHeaders[headerName] = headerValue; | ||
11516 | } | ||
11517 | |||
11518 | // Finally, strip any protocol specifier from the URL | ||
11519 | url = urlParts[0].Trim(); | ||
11520 | int idx = url.IndexOf(" HTTP/"); | ||
11521 | if (idx != -1) | ||
11522 | url = url.Substring(0, idx); | ||
11523 | } | ||
11524 | |||
11474 | string authregex = @"^(https?:\/\/)(\w+):(\w+)@(.*)$"; | 11525 | string authregex = @"^(https?:\/\/)(\w+):(\w+)@(.*)$"; |
11475 | Regex r = new Regex(authregex); | 11526 | Regex r = new Regex(authregex); |
11476 | int[] gnums = r.GetGroupNumbers(); | 11527 | int[] gnums = r.GetGroupNumbers(); |