From 6fc1ceb2ee3888edae6e99fcbf59e79910058cc9 Mon Sep 17 00:00:00 2001 From: Melanie Date: Sat, 2 Oct 2010 20:11:43 +0100 Subject: So, the client can have an old idea of the object properties for the object when it goes to buy. This can cause a problem in the buy process. Additionally Hazim mentioned that the buy packets are spoofable. The core modules are the crowing glory example of best practice :P, so therefore, setting the example here, Validate Client sent Buy Data. WebAppSecurity 101, Never trust a client. Validate Validate Validate! Or you'll have problems whether intentional or not. --- .../World/MoneyModule/SampleMoneyModule.cs | 24 ++++++++++++++++++++++ 1 file changed, 24 insertions(+) (limited to 'OpenSim/Region') diff --git a/OpenSim/Region/OptionalModules/World/MoneyModule/SampleMoneyModule.cs b/OpenSim/Region/OptionalModules/World/MoneyModule/SampleMoneyModule.cs index d364df6..e42dbf2 100644 --- a/OpenSim/Region/OptionalModules/World/MoneyModule/SampleMoneyModule.cs +++ b/OpenSim/Region/OptionalModules/World/MoneyModule/SampleMoneyModule.cs @@ -805,6 +805,16 @@ namespace OpenSim.Region.OptionalModules.World.MoneyModule } Scene s = LocateSceneClientIn(remoteClient.AgentId); + + // Implmenting base sale data checking here so the default OpenSimulator implementation isn't useless + // combined with other implementations. We're actually validating that the client is sending the data + // that it should. In theory, the client should already know what to send here because it'll see it when it + // gets the object data. If the data sent by the client doesn't match the object, the viewer probably has an + // old idea of what the object properties are. Viewer developer Hazim informed us that the base module + // didn't check the client sent data against the object do any. Since the base modules are the + // 'crowning glory' examples of good practice.. + + // Validate that the object exists in the scene the user is in SceneObjectPart part = s.GetSceneObjectPart(localID); if (part == null) { @@ -812,6 +822,20 @@ namespace OpenSim.Region.OptionalModules.World.MoneyModule return; } + // Validate that the client sent the price that the object is being sold for + if (part.SalePrice != salePrice) + { + remoteClient.SendAgentAlertMessage("Cannot buy at this price. Buy Failed. If you continue to get this relog.", false); + return; + } + + // Validate that the client sent the proper sale type the object has set + if (part.ObjectSaleType != saleType) + { + remoteClient.SendAgentAlertMessage("Cannot buy this way. Buy Failed. If you continue to get this relog.", false); + return; + } + IBuySellModule module = s.RequestModuleInterface(); if (module != null) module.BuyObject(remoteClient, categoryID, localID, saleType, salePrice); -- cgit v1.1