From 344c9caeb671f3d9dab80f05d18a7dc9f3075bc1 Mon Sep 17 00:00:00 2001 From: Johan Berntsson Date: Wed, 23 Jul 2008 06:59:02 +0000 Subject: thanks lulurun for a security patch that blocks unathorized access to the inventory server (see http://opensimulator.org/wiki/Security_vulnerability_brought_by_non-check_inventory_service) --- .../Grid/InventoryServer/GridInventoryService.cs | 41 ++++++++++++++++++++++ 1 file changed, 41 insertions(+) (limited to 'OpenSim/Grid/InventoryServer/GridInventoryService.cs') diff --git a/OpenSim/Grid/InventoryServer/GridInventoryService.cs b/OpenSim/Grid/InventoryServer/GridInventoryService.cs index 5388263..78f33a3 100644 --- a/OpenSim/Grid/InventoryServer/GridInventoryService.cs +++ b/OpenSim/Grid/InventoryServer/GridInventoryService.cs @@ -26,12 +26,15 @@ */ using System; +using System.Collections; using System.Collections.Generic; using System.Reflection; using System.Threading; +using System.Net; using libsecondlife; using log4net; +using Nwc.XmlRpc; using OpenSim.Framework; using OpenSim.Framework.Communications; @@ -46,6 +49,44 @@ namespace OpenSim.Grid.InventoryServer private static readonly ILog m_log = LogManager.GetLogger(MethodBase.GetCurrentMethod().DeclaringType); + private string m_userserver_url; + + public GridInventoryService(string userserver_url) + { + m_userserver_url = userserver_url; + } + + public bool CheckTrustSource(IPEndPoint peer) + { + m_log.InfoFormat("[GRID AGENT INVENTORY]: checking trusted source {0}", peer.ToString()); + UriBuilder ub = new UriBuilder(m_userserver_url); + if (ub.Host == peer.Address.ToString()) + { + return true; + } + return false; + } + + public bool CheckAuthSession(string session_id, string avatar_id) + { + m_log.InfoFormat("[GRID AGENT INVENTORY]: checking authed session {0} {1}", session_id, avatar_id); + Hashtable requestData = new Hashtable(); + requestData["avatar_uuid"] = avatar_id; + requestData["session_id"] = session_id; + ArrayList SendParams = new ArrayList(); + SendParams.Add(requestData); + XmlRpcRequest UserReq = new XmlRpcRequest("check_auth_session", SendParams); + XmlRpcResponse UserResp = UserReq.Send(m_userserver_url, 3000); + + Hashtable responseData = (Hashtable)UserResp.Value; + + if (responseData.ContainsKey("auth_session") && responseData["auth_session"].ToString() == "TRUE") + { + return true; + } + return false; + } + public override void RequestInventoryForUser(LLUUID userID, InventoryReceiptCallback callback) { } -- cgit v1.1