From 0413d052a3ec541164049e7d39278c57fb92ed06 Mon Sep 17 00:00:00 2001
From: diva
Date: Tue, 14 Apr 2009 19:35:35 +0000
Subject: Adds session authentication upon NewUserConnections. Adds user key
 authentication (in safemode only) upon CreateChildAgents. All of this for
 Hypergrid users too. This addresses assorted spoofing vulnerabilities.

---
 .../Communications/Services/LoginService.cs        | 46 ++++++++++++++++++++++
 1 file changed, 46 insertions(+)

(limited to 'OpenSim/Framework/Communications/Services')

diff --git a/OpenSim/Framework/Communications/Services/LoginService.cs b/OpenSim/Framework/Communications/Services/LoginService.cs
index d9556e4..d491309 100644
--- a/OpenSim/Framework/Communications/Services/LoginService.cs
+++ b/OpenSim/Framework/Communications/Services/LoginService.cs
@@ -37,6 +37,7 @@ using log4net;
 using Nwc.XmlRpc;
 using OpenMetaverse;
 using OpenMetaverse.StructuredData;
+using OpenSim.Framework;
 using OpenSim.Framework.Communications.Cache;
 using OpenSim.Framework.Statistics;
 
@@ -194,6 +195,12 @@ namespace OpenSim.Framework.Communications.Services
 
                     CreateAgent(userProfile, request);
 
+                    // We need to commit the agent right here, even though the userProfile info is not complete
+                    // at this point. There is another commit further down.
+                    // This is for the new sessionID to be stored so that the region can check it for session authentication. 
+                    // CustomiseResponse->PrepareLoginToRegion
+                    CommitAgent(ref userProfile);
+
                     try
                     {
                         UUID agentID = userProfile.ID;
@@ -1108,5 +1115,44 @@ namespace OpenSim.Framework.Communications.Services
         {
             return false;
         }
+
+        public XmlRpcResponse XmlRPCCheckAuthSession(XmlRpcRequest request)
+        {
+            XmlRpcResponse response = new XmlRpcResponse();
+            Hashtable requestData = (Hashtable)request.Params[0];
+
+            string authed = "FALSE";
+            if (requestData.Contains("avatar_uuid") && requestData.Contains("session_id"))
+            {
+                UUID guess_aid;
+                UUID guess_sid;
+
+                UUID.TryParse((string)requestData["avatar_uuid"], out guess_aid);
+                if (guess_aid == UUID.Zero)
+                {
+                    return Util.CreateUnknownUserErrorResponse();
+                }
+                UUID.TryParse((string)requestData["session_id"], out guess_sid);
+                if (guess_sid == UUID.Zero)
+                {
+                    return Util.CreateUnknownUserErrorResponse();
+                }
+                if (m_userManager.VerifySession(guess_aid, guess_sid))
+                {
+                    authed = "TRUE";
+                }
+                m_log.InfoFormat("[UserManager]: CheckAuthSession TRUE for user {0}", guess_aid);
+            }
+            else
+            {
+                m_log.InfoFormat("[UserManager]: CheckAuthSession FALSE");
+                return Util.CreateUnknownUserErrorResponse();
+            }
+            Hashtable responseData = new Hashtable();
+            responseData["auth_session"] = authed;
+            response.Value = responseData;
+            return response;
+        }
+
     }
 }
-- 
cgit v1.1