From 3255335c42ff348465d235a3ccf9558d0d6d414b Mon Sep 17 00:00:00 2001
From: Justin Clark-Casey (justincc)
Date: Wed, 4 Mar 2015 17:51:11 +0000
Subject: Make private services forbid llHTTPRequest() calls by rejecting those
 that have the X-SecondLife-Shard header.

If you need to enable this, set AllowHttpRequestIn = true in [Network] for all private services or individual [*Service] sections.
---
 .../ServiceAuth/BasicHttpAuthentication.cs         | 25 +++++++++++++---------
 1 file changed, 15 insertions(+), 10 deletions(-)

(limited to 'OpenSim/Framework/ServiceAuth/BasicHttpAuthentication.cs')

diff --git a/OpenSim/Framework/ServiceAuth/BasicHttpAuthentication.cs b/OpenSim/Framework/ServiceAuth/BasicHttpAuthentication.cs
index b3d64e1..3c13bbf 100644
--- a/OpenSim/Framework/ServiceAuth/BasicHttpAuthentication.cs
+++ b/OpenSim/Framework/ServiceAuth/BasicHttpAuthentication.cs
@@ -28,6 +28,7 @@
 using System;
 using System.Collections.Generic;
 using System.Collections.Specialized;
+using System.Net;
 using System.Reflection;
 
 using Nini.Config;
@@ -82,24 +83,28 @@ namespace OpenSim.Framework.ServiceAuth
             return false;
         }
 
-        public bool Authenticate(NameValueCollection requestHeaders, AddHeaderDelegate d)
+        public bool Authenticate(NameValueCollection requestHeaders, AddHeaderDelegate d, out HttpStatusCode statusCode)
         {
-            //m_log.DebugFormat("[HTTP BASIC AUTH]: Authenticate in {0}", remove_me);
-            if (requestHeaders != null)
+//            m_log.DebugFormat("[HTTP BASIC AUTH]: Authenticate in {0}", "BasicHttpAuthentication");
+
+            string value = requestHeaders.Get("Authorization");
+            if (value != null)
             {
-                string value = requestHeaders.Get("Authorization");
-                if (value != null)
+                value = value.Trim();
+                if (value.StartsWith("Basic "))
                 {
-                    value = value.Trim();
-                    if (value.StartsWith("Basic "))
+                    value = value.Replace("Basic ", string.Empty);
+                    if (Authenticate(value))
                     {
-                        value = value.Replace("Basic ", string.Empty);
-                        if (Authenticate(value))
-                            return true;
+                        statusCode = HttpStatusCode.OK;
+                        return true;
                     }
                 }
             }
+
             d("WWW-Authenticate", "Basic realm = \"Asset Server\"");
+
+            statusCode = HttpStatusCode.Unauthorized;
             return false;
         }
     }
-- 
cgit v1.1