aboutsummaryrefslogtreecommitdiffstatshomepage
path: root/OpenSim/Region
diff options
context:
space:
mode:
Diffstat (limited to 'OpenSim/Region')
-rw-r--r--OpenSim/Region/ScriptEngine/Shared/Api/Implementation/LSL_Api.cs53
1 files changed, 53 insertions, 0 deletions
diff --git a/OpenSim/Region/ScriptEngine/Shared/Api/Implementation/LSL_Api.cs b/OpenSim/Region/ScriptEngine/Shared/Api/Implementation/LSL_Api.cs
index 977f39e..2425646 100644
--- a/OpenSim/Region/ScriptEngine/Shared/Api/Implementation/LSL_Api.cs
+++ b/OpenSim/Region/ScriptEngine/Shared/Api/Implementation/LSL_Api.cs
@@ -11471,6 +11471,59 @@ namespace OpenSim.Region.ScriptEngine.Shared.Api
11471 if (userAgent != null) 11471 if (userAgent != null)
11472 httpHeaders["User-Agent"] = userAgent; 11472 httpHeaders["User-Agent"] = userAgent;
11473 11473
11474 // See if the URL contains any header hacks
11475 string[] urlParts = url.Split(new char[] {'\n'});
11476 if (urlParts.Length > 1)
11477 {
11478 // Iterate the passed headers and parse them
11479 for (int i = 1 ; i < urlParts.Length ; i++ )
11480 {
11481 // The rest of those would be added to the body in SL.
11482 // Let's not do that.
11483 if (urlParts[i] == String.Empty)
11484 break;
11485
11486 // See if this could be a valid header
11487 string[] headerParts = urlParts[i].Split(new char[] {':'}, 2);
11488 if (headerParts.Length != 2)
11489 continue;
11490
11491 string headerName = headerParts[0].Trim();
11492 string headerValue = headerParts[1].Trim();
11493
11494 // Filter out headers that could be used to abuse
11495 // another system or cloak the request
11496 if (headerName.ToLower() == "x-secondlife-shard" ||
11497 headerName.ToLower() == "x-secondlife-object-name" ||
11498 headerName.ToLower() == "x-secondlife-object-key" ||
11499 headerName.ToLower() == "x-secondlife-region" ||
11500 headerName.ToLower() == "x-secondlife-local-position" ||
11501 headerName.ToLower() == "x-secondlife-local-velocity" ||
11502 headerName.ToLower() == "x-secondlife-local-rotation" ||
11503 headerName.ToLower() == "x-secondlife-owner-name" ||
11504 headerName.ToLower() == "x-secondlife-owner-key" ||
11505 headerName.ToLower() == "connection" ||
11506 headerName.ToLower() == "content-length" ||
11507 headerName.ToLower() == "from" ||
11508 headerName.ToLower() == "host" ||
11509 headerName.ToLower() == "proxy-authorization" ||
11510 headerName.ToLower() == "referer" ||
11511 headerName.ToLower() == "trailer" ||
11512 headerName.ToLower() == "transfer-encoding" ||
11513 headerName.ToLower() == "via" ||
11514 headerName.ToLower() == "authorization")
11515 continue;
11516
11517 httpHeaders[headerName] = headerValue;
11518 }
11519
11520 // Finally, strip any protocol specifier from the URL
11521 url = urlParts[0].Trim();
11522 int idx = url.IndexOf(" HTTP/");
11523 if (idx != -1)
11524 url = url.Substring(0, idx);
11525 }
11526
11474 string authregex = @"^(https?:\/\/)(\w+):(\w+)@(.*)$"; 11527 string authregex = @"^(https?:\/\/)(\w+):(\w+)@(.*)$";
11475 Regex r = new Regex(authregex); 11528 Regex r = new Regex(authregex);
11476 int[] gnums = r.GetGroupNumbers(); 11529 int[] gnums = r.GetGroupNumbers();