diff options
Diffstat (limited to 'OpenSim')
-rw-r--r-- | OpenSim/Region/ScriptEngine/Shared/Api/Implementation/LSL_Api.cs | 53 |
1 files changed, 53 insertions, 0 deletions
diff --git a/OpenSim/Region/ScriptEngine/Shared/Api/Implementation/LSL_Api.cs b/OpenSim/Region/ScriptEngine/Shared/Api/Implementation/LSL_Api.cs index 977f39e..2425646 100644 --- a/OpenSim/Region/ScriptEngine/Shared/Api/Implementation/LSL_Api.cs +++ b/OpenSim/Region/ScriptEngine/Shared/Api/Implementation/LSL_Api.cs | |||
@@ -11471,6 +11471,59 @@ namespace OpenSim.Region.ScriptEngine.Shared.Api | |||
11471 | if (userAgent != null) | 11471 | if (userAgent != null) |
11472 | httpHeaders["User-Agent"] = userAgent; | 11472 | httpHeaders["User-Agent"] = userAgent; |
11473 | 11473 | ||
11474 | // See if the URL contains any header hacks | ||
11475 | string[] urlParts = url.Split(new char[] {'\n'}); | ||
11476 | if (urlParts.Length > 1) | ||
11477 | { | ||
11478 | // Iterate the passed headers and parse them | ||
11479 | for (int i = 1 ; i < urlParts.Length ; i++ ) | ||
11480 | { | ||
11481 | // The rest of those would be added to the body in SL. | ||
11482 | // Let's not do that. | ||
11483 | if (urlParts[i] == String.Empty) | ||
11484 | break; | ||
11485 | |||
11486 | // See if this could be a valid header | ||
11487 | string[] headerParts = urlParts[i].Split(new char[] {':'}, 2); | ||
11488 | if (headerParts.Length != 2) | ||
11489 | continue; | ||
11490 | |||
11491 | string headerName = headerParts[0].Trim(); | ||
11492 | string headerValue = headerParts[1].Trim(); | ||
11493 | |||
11494 | // Filter out headers that could be used to abuse | ||
11495 | // another system or cloak the request | ||
11496 | if (headerName.ToLower() == "x-secondlife-shard" || | ||
11497 | headerName.ToLower() == "x-secondlife-object-name" || | ||
11498 | headerName.ToLower() == "x-secondlife-object-key" || | ||
11499 | headerName.ToLower() == "x-secondlife-region" || | ||
11500 | headerName.ToLower() == "x-secondlife-local-position" || | ||
11501 | headerName.ToLower() == "x-secondlife-local-velocity" || | ||
11502 | headerName.ToLower() == "x-secondlife-local-rotation" || | ||
11503 | headerName.ToLower() == "x-secondlife-owner-name" || | ||
11504 | headerName.ToLower() == "x-secondlife-owner-key" || | ||
11505 | headerName.ToLower() == "connection" || | ||
11506 | headerName.ToLower() == "content-length" || | ||
11507 | headerName.ToLower() == "from" || | ||
11508 | headerName.ToLower() == "host" || | ||
11509 | headerName.ToLower() == "proxy-authorization" || | ||
11510 | headerName.ToLower() == "referer" || | ||
11511 | headerName.ToLower() == "trailer" || | ||
11512 | headerName.ToLower() == "transfer-encoding" || | ||
11513 | headerName.ToLower() == "via" || | ||
11514 | headerName.ToLower() == "authorization") | ||
11515 | continue; | ||
11516 | |||
11517 | httpHeaders[headerName] = headerValue; | ||
11518 | } | ||
11519 | |||
11520 | // Finally, strip any protocol specifier from the URL | ||
11521 | url = urlParts[0].Trim(); | ||
11522 | int idx = url.IndexOf(" HTTP/"); | ||
11523 | if (idx != -1) | ||
11524 | url = url.Substring(0, idx); | ||
11525 | } | ||
11526 | |||
11474 | string authregex = @"^(https?:\/\/)(\w+):(\w+)@(.*)$"; | 11527 | string authregex = @"^(https?:\/\/)(\w+):(\w+)@(.*)$"; |
11475 | Regex r = new Regex(authregex); | 11528 | Regex r = new Regex(authregex); |
11476 | int[] gnums = r.GetGroupNumbers(); | 11529 | int[] gnums = r.GetGroupNumbers(); |