diff options
Diffstat (limited to '')
-rw-r--r-- | bin/LukeSkywalker.IPNetwork.dll | bin | 0 -> 18432 bytes | |||
-rw-r--r-- | bin/OpenSim.ini.example | 26 | ||||
-rw-r--r-- | bin/OpenSimDefaults.ini | 20 | ||||
-rw-r--r-- | bin/Robust.HG.ini.example | 7 | ||||
-rw-r--r-- | bin/Robust.ini.example | 7 |
5 files changed, 60 insertions, 0 deletions
diff --git a/bin/LukeSkywalker.IPNetwork.dll b/bin/LukeSkywalker.IPNetwork.dll new file mode 100644 index 0000000..25bcc2f --- /dev/null +++ b/bin/LukeSkywalker.IPNetwork.dll | |||
Binary files differ | |||
diff --git a/bin/OpenSim.ini.example b/bin/OpenSim.ini.example index 1b5a4af..ebc0ff6 100644 --- a/bin/OpenSim.ini.example +++ b/bin/OpenSim.ini.example | |||
@@ -486,6 +486,32 @@ | |||
486 | ;; the region ports use UDP. | 486 | ;; the region ports use UDP. |
487 | ; http_listener_port = 9000 | 487 | ; http_listener_port = 9000 |
488 | 488 | ||
489 | ; By default, OpenSimulator does not allow scripts to make HTTP calls to addresses on the simulator's LAN. | ||
490 | ; See the OutboundDisallowForUserScripts parameter in OpenSimDefaults.ini for more information on this filter. | ||
491 | ; If you need to allow scripts to make some LAN calls use the OutboundDisallowForUserScriptsExcept parameter below. | ||
492 | ; We recommend that you do not override OutboundDisallowForUserScripts directly unless you are very sure about what you're doing. | ||
493 | ; | ||
494 | ; You can whitelist individual endpoints by IP or FQDN, e.g. | ||
495 | ; | ||
496 | ; OutboundDisallowForUserScriptsExcept = 192.168.1.3:8003 | ||
497 | ; | ||
498 | ; You can specify multiple addresses by separating them with a bar. For example, | ||
499 | ; | ||
500 | ; OutboundDisallowForUserScriptsExcept = 192.168.1.3:8003|myinternalserver:8000 | ||
501 | ; | ||
502 | ; If an address if given without a port number then port 80 is assumed | ||
503 | ; | ||
504 | ; You can also specify a network range in CIDR notation to whitelist, e.g. | ||
505 | ; | ||
506 | ; OutboundDisallowForUserScriptsExcept = 192.168.1.0/24 | ||
507 | ; | ||
508 | ; to whitelist all ports on addresses 192.168.1.0 to 192.168.1.255 | ||
509 | ; To specify an individual IP address use the /32 netmask | ||
510 | ; | ||
511 | ; OutboundDisallowForUserScriptsExcept = 192.168.1.2/32 | ||
512 | ; | ||
513 | ; See http://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing#CIDR_notation for more information on CIDR notation | ||
514 | |||
489 | ;# {ExternalHostNameForLSL} {} {Hostname to use for HTTP-IN URLs. This should be reachable from the internet.} {} | 515 | ;# {ExternalHostNameForLSL} {} {Hostname to use for HTTP-IN URLs. This should be reachable from the internet.} {} |
490 | ;; Hostname to use in llRequestURL/llRequestSecureURL | 516 | ;; Hostname to use in llRequestURL/llRequestSecureURL |
491 | ;; if not defined - default machine name is being used | 517 | ;; if not defined - default machine name is being used |
diff --git a/bin/OpenSimDefaults.ini b/bin/OpenSimDefaults.ini index 4faf7f3..af37ccc 100644 --- a/bin/OpenSimDefaults.ini +++ b/bin/OpenSimDefaults.ini | |||
@@ -492,6 +492,26 @@ | |||
492 | ; (on Windows this mean NETBIOS name - useably only inside local network) | 492 | ; (on Windows this mean NETBIOS name - useably only inside local network) |
493 | ; ExternalHostNameForLSL=127.0.0.1 | 493 | ; ExternalHostNameForLSL=127.0.0.1 |
494 | 494 | ||
495 | ; Disallow the following address ranges for user scripting calls (e.g. llHttpRequest()) | ||
496 | ; This is based on http://en.wikipedia.org/wiki/Reserved_IP_addresses | ||
497 | ; This stops users making HTTP calls to machines in the simulator's local network. | ||
498 | ; If you need to allow some LAN calls we recommend you use OutboundDisallowForUserScriptsExcept documented in OpenSim.ini.example | ||
499 | ; If you override OutboundDisallowForUserScripts directly you need to be very careful. | ||
500 | ; | ||
501 | ; Network ranges are specified in CIDR notation (http://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing#CIDR_notation) with multiple entries separated by | | ||
502 | ; To specify an individual IP address use the /32 netmask (e.g. 192.168.1.3/32) | ||
503 | ; You can also specify individual <addr>:<port> endpoints (e.g. 192.168.1.3:8003) | ||
504 | ; If an address if given without a port number then port 80 is assumed. | ||
505 | OutboundDisallowForUserScripts = 0.0.0.0/8|10.0.0.0/8|100.64.0.0/10|127.0.0.0/8|169.254.0.0/16|172.16.0.0/12|192.0.0.0/24|192.0.2.0/24|192.88.99.0/24|192.168.0.0/16|198.18.0.0/15|198.51.100.0/24|203.0.113.0/24|224.0.0.0/4|240.0.0.0/4|255.255.255.255/32 | ||
506 | ; | ||
507 | ; You can also prevent all user script outgoing calls with the following override in OpenSim.ini | ||
508 | ; | ||
509 | ; OutboundDisallowForUserScripts = 0.0.0.0/0 | ||
510 | ; | ||
511 | ; You can also disable the blacklist entirely with an empty entry | ||
512 | ; | ||
513 | ; OutboundDisallowForUserScripts = "" | ||
514 | |||
495 | ; What is reported as the "X-Secondlife-Shard" | 515 | ; What is reported as the "X-Secondlife-Shard" |
496 | ; Defaults to the user server url if not set | 516 | ; Defaults to the user server url if not set |
497 | ; The old default is "OpenSim", set here for compatibility | 517 | ; The old default is "OpenSim", set here for compatibility |
diff --git a/bin/Robust.HG.ini.example b/bin/Robust.HG.ini.example index 5fa4026..872a7f8 100644 --- a/bin/Robust.HG.ini.example +++ b/bin/Robust.HG.ini.example | |||
@@ -153,6 +153,13 @@ | |||
153 | ;; Hypergrid services are not affected by this; they are publicly available | 153 | ;; Hypergrid services are not affected by this; they are publicly available |
154 | ;; by design. | 154 | ;; by design. |
155 | 155 | ||
156 | ;; By default, scripts are not allowed to call private services via llHttpRequest() | ||
157 | ;; Such calls are detected by the X-SecondLife-Shared HTTP header | ||
158 | ;; If you allow such calls you must be sure that they are restricted to very trusted scripters | ||
159 | ;; (remember scripts can also be in visiting avatar attachments). | ||
160 | ;; This can be overriden in individual private service sections if necessary | ||
161 | AllowllHTTPRequestIn = false | ||
162 | |||
156 | ; * The following are for the remote console | 163 | ; * The following are for the remote console |
157 | ; * They have no effect for the local or basic console types | 164 | ; * They have no effect for the local or basic console types |
158 | ; * Leave commented to diable logins to the console | 165 | ; * Leave commented to diable logins to the console |
diff --git a/bin/Robust.ini.example b/bin/Robust.ini.example index a0b8f50..48deeae 100644 --- a/bin/Robust.ini.example +++ b/bin/Robust.ini.example | |||
@@ -129,6 +129,13 @@ | |||
129 | ;; This is useful in cases where you want to protect most of the services, | 129 | ;; This is useful in cases where you want to protect most of the services, |
130 | ;; but unprotect individual services. Username and Password can also be | 130 | ;; but unprotect individual services. Username and Password can also be |
131 | ;; overriden if you want to use different credentials for the different services. | 131 | ;; overriden if you want to use different credentials for the different services. |
132 | |||
133 | ;; By default, scripts are not allowed to call private services via llHttpRequest() | ||
134 | ;; Such calls are detected by the X-SecondLife-Shared HTTP header | ||
135 | ;; If you allow such calls you must be sure that they are restricted to very trusted scripters | ||
136 | ;; (remember scripts can also be in visiting avatar attachments). | ||
137 | ;; This can be overriden in individual private service sections if necessary | ||
138 | AllowllHTTPRequestIn = false | ||
132 | 139 | ||
133 | ; * The following are for the remote console | 140 | ; * The following are for the remote console |
134 | ; * They have no effect for the local or basic console types | 141 | ; * They have no effect for the local or basic console types |