From e4e754ee93de0e0b6fde3b3ccd20085d3d4a09a1 Mon Sep 17 00:00:00 2001 From: Diva Canto Date: Fri, 27 Apr 2012 09:23:56 -0700 Subject: MapImageService: added an additional security check for OSGrid and other grids like it. --- .../Server/Handlers/Map/MapAddServerConnector.cs | 48 +++++++++++++++++++--- 1 file changed, 43 insertions(+), 5 deletions(-) (limited to 'OpenSim/Server/Handlers/Map/MapAddServerConnector.cs') diff --git a/OpenSim/Server/Handlers/Map/MapAddServerConnector.cs b/OpenSim/Server/Handlers/Map/MapAddServerConnector.cs index 75dd711..c87de92 100644 --- a/OpenSim/Server/Handlers/Map/MapAddServerConnector.cs +++ b/OpenSim/Server/Handlers/Map/MapAddServerConnector.cs @@ -33,17 +33,24 @@ using System.Xml; using Nini.Config; using log4net; +using OpenMetaverse; +using OpenSim.Framework; using OpenSim.Server.Base; using OpenSim.Services.Interfaces; using OpenSim.Framework.Servers.HttpServer; using OpenSim.Server.Handlers.Base; +using GridRegion = OpenSim.Services.Interfaces.GridRegion; + namespace OpenSim.Server.Handlers.MapImage { public class MapAddServiceConnector : ServiceConnector { + private static readonly ILog m_log = LogManager.GetLogger(MethodBase.GetCurrentMethod().DeclaringType); + private IMapImageService m_MapService; + private IGridService m_GridService; private string m_ConfigName = "MapImageService"; public MapAddServiceConnector(IConfigSource config, IHttpServer server, string configName) : @@ -53,16 +60,26 @@ namespace OpenSim.Server.Handlers.MapImage if (serverConfig == null) throw new Exception(String.Format("No section {0} in config file", m_ConfigName)); - string gridService = serverConfig.GetString("LocalServiceModule", + string mapService = serverConfig.GetString("LocalServiceModule", String.Empty); - if (gridService == String.Empty) + if (mapService == String.Empty) throw new Exception("No LocalServiceModule in config file"); Object[] args = new Object[] { config }; - m_MapService = ServerUtils.LoadPlugin(gridService, args); + m_MapService = ServerUtils.LoadPlugin(mapService, args); + + string gridService = serverConfig.GetString("GridService", String.Empty); + if (gridService != string.Empty) + m_GridService = ServerUtils.LoadPlugin(gridService, args); + + if (m_GridService != null) + m_log.InfoFormat("[MAP IMAGE HANDLER]: GridService check is ON"); + else + m_log.InfoFormat("[MAP IMAGE HANDLER]: GridService check is OFF"); + + server.AddStreamHandler(new MapServerPostHandler(m_MapService, m_GridService)); - server.AddStreamHandler(new MapServerPostHandler(m_MapService)); } } @@ -70,11 +87,13 @@ namespace OpenSim.Server.Handlers.MapImage { private static readonly ILog m_log = LogManager.GetLogger(MethodBase.GetCurrentMethod().DeclaringType); private IMapImageService m_MapService; + private IGridService m_GridService; - public MapServerPostHandler(IMapImageService service) : + public MapServerPostHandler(IMapImageService service, IGridService grid) : base("POST", "/map") { m_MapService = service; + m_GridService = grid; } public override byte[] Handle(string path, Stream requestData, IOSHttpRequest httpRequest, IOSHttpResponse httpResponse) @@ -105,6 +124,25 @@ namespace OpenSim.Server.Handlers.MapImage // if (request.ContainsKey("TYPE")) // type = request["TYPE"].ToString(); + if (m_GridService != null) + { + GridRegion r = m_GridService.GetRegionByPosition(UUID.Zero, x * (int)Constants.RegionSize, y * (int)Constants.RegionSize); + if (r != null) + { + if (r.ExternalEndPoint.Address != httpRequest.RemoteIPEndPoint.Address) + { + m_log.WarnFormat("[MAP IMAGE HANDLER]: IP address {0} may be rogue", httpRequest.RemoteIPEndPoint.Address); + return FailureResult("IP address of caller does not match IP address of registered region"); + } + + } + else + { + m_log.WarnFormat("[MAP IMAGE HANDLER]: IP address {0} may be rogue", httpRequest.RemoteIPEndPoint.Address); + return FailureResult("Region not found at given coordinates"); + } + } + byte[] data = Convert.FromBase64String(request["DATA"].ToString()); string reason = string.Empty; -- cgit v1.1 From ac64fe03d8992a041933c303fa12933393cf1713 Mon Sep 17 00:00:00 2001 From: Diva Canto Date: Fri, 27 Apr 2012 09:59:46 -0700 Subject: Amend to last commit: account for the existence of proxies. --- .../Server/Handlers/Map/MapAddServerConnector.cs | 35 ++++++++++++++++++++-- 1 file changed, 32 insertions(+), 3 deletions(-) (limited to 'OpenSim/Server/Handlers/Map/MapAddServerConnector.cs') diff --git a/OpenSim/Server/Handlers/Map/MapAddServerConnector.cs b/OpenSim/Server/Handlers/Map/MapAddServerConnector.cs index c87de92..cc7ef9d 100644 --- a/OpenSim/Server/Handlers/Map/MapAddServerConnector.cs +++ b/OpenSim/Server/Handlers/Map/MapAddServerConnector.cs @@ -78,7 +78,8 @@ namespace OpenSim.Server.Handlers.MapImage else m_log.InfoFormat("[MAP IMAGE HANDLER]: GridService check is OFF"); - server.AddStreamHandler(new MapServerPostHandler(m_MapService, m_GridService)); + bool proxy = serverConfig.GetBoolean("HasProxy", false); + server.AddStreamHandler(new MapServerPostHandler(m_MapService, m_GridService, proxy)); } } @@ -88,12 +89,14 @@ namespace OpenSim.Server.Handlers.MapImage private static readonly ILog m_log = LogManager.GetLogger(MethodBase.GetCurrentMethod().DeclaringType); private IMapImageService m_MapService; private IGridService m_GridService; + bool m_Proxy; - public MapServerPostHandler(IMapImageService service, IGridService grid) : + public MapServerPostHandler(IMapImageService service, IGridService grid, bool proxy) : base("POST", "/map") { m_MapService = service; m_GridService = grid; + m_Proxy = proxy; } public override byte[] Handle(string path, Stream requestData, IOSHttpRequest httpRequest, IOSHttpResponse httpResponse) @@ -129,7 +132,7 @@ namespace OpenSim.Server.Handlers.MapImage GridRegion r = m_GridService.GetRegionByPosition(UUID.Zero, x * (int)Constants.RegionSize, y * (int)Constants.RegionSize); if (r != null) { - if (r.ExternalEndPoint.Address != httpRequest.RemoteIPEndPoint.Address) + if (r.ExternalEndPoint.Address != GetCallerIP(httpRequest)) { m_log.WarnFormat("[MAP IMAGE HANDLER]: IP address {0} may be rogue", httpRequest.RemoteIPEndPoint.Address); return FailureResult("IP address of caller does not match IP address of registered region"); @@ -221,5 +224,31 @@ namespace OpenSim.Server.Handlers.MapImage return ms.ToArray(); } + + private System.Net.IPAddress GetCallerIP(IOSHttpRequest request) + { + if (!m_Proxy) + return request.RemoteIPEndPoint.Address; + + // We're behind a proxy + string xff = "X-Forwarded-For"; + string xffValue = request.Headers[xff.ToLower()]; + if (xffValue == null || (xffValue != null && xffValue == string.Empty)) + xffValue = request.Headers[xff]; + + if (xffValue == null || (xffValue != null && xffValue == string.Empty)) + { + m_log.WarnFormat("[MAP IMAGE HANDLER]: No XFF header"); + return request.RemoteIPEndPoint.Address; + } + + System.Net.IPEndPoint ep = Util.GetClientIPFromXFF(xffValue); + if (ep != null) + return ep.Address; + + // Oops + return request.RemoteIPEndPoint.Address; + } + } } -- cgit v1.1 From 292752bb78984c84b4305f32226d7f226092a08a Mon Sep 17 00:00:00 2001 From: Diva Canto Date: Fri, 27 Apr 2012 10:22:43 -0700 Subject: MapImage security issue: better error messages --- OpenSim/Server/Handlers/Map/MapAddServerConnector.cs | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) (limited to 'OpenSim/Server/Handlers/Map/MapAddServerConnector.cs') diff --git a/OpenSim/Server/Handlers/Map/MapAddServerConnector.cs b/OpenSim/Server/Handlers/Map/MapAddServerConnector.cs index cc7ef9d..a612114 100644 --- a/OpenSim/Server/Handlers/Map/MapAddServerConnector.cs +++ b/OpenSim/Server/Handlers/Map/MapAddServerConnector.cs @@ -132,16 +132,18 @@ namespace OpenSim.Server.Handlers.MapImage GridRegion r = m_GridService.GetRegionByPosition(UUID.Zero, x * (int)Constants.RegionSize, y * (int)Constants.RegionSize); if (r != null) { - if (r.ExternalEndPoint.Address != GetCallerIP(httpRequest)) + System.Net.IPAddress ipAddr = GetCallerIP(httpRequest); + if (r.ExternalEndPoint.Address != ipAddr) { - m_log.WarnFormat("[MAP IMAGE HANDLER]: IP address {0} may be rogue", httpRequest.RemoteIPEndPoint.Address); + m_log.WarnFormat("[MAP IMAGE HANDLER]: IP address {0} may be trying to impersonate region in IP {1}", ipAddr, r.ExternalEndPoint.Address); return FailureResult("IP address of caller does not match IP address of registered region"); } } else { - m_log.WarnFormat("[MAP IMAGE HANDLER]: IP address {0} may be rogue", httpRequest.RemoteIPEndPoint.Address); + m_log.WarnFormat("[MAP IMAGE HANDLER]: IP address {0} may be rogue. Region not found at coordinates {1}-{2}", + httpRequest.RemoteIPEndPoint.Address, x, y); return FailureResult("Region not found at given coordinates"); } } -- cgit v1.1 From a9dbe393194b58447f20984eff03d366c03a01e4 Mon Sep 17 00:00:00 2001 From: Diva Canto Date: Fri, 27 Apr 2012 10:39:20 -0700 Subject: MapImage security issue. Compare strings instead of IPAddresses. --- OpenSim/Server/Handlers/Map/MapAddServerConnector.cs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'OpenSim/Server/Handlers/Map/MapAddServerConnector.cs') diff --git a/OpenSim/Server/Handlers/Map/MapAddServerConnector.cs b/OpenSim/Server/Handlers/Map/MapAddServerConnector.cs index a612114..8ba188d 100644 --- a/OpenSim/Server/Handlers/Map/MapAddServerConnector.cs +++ b/OpenSim/Server/Handlers/Map/MapAddServerConnector.cs @@ -133,7 +133,7 @@ namespace OpenSim.Server.Handlers.MapImage if (r != null) { System.Net.IPAddress ipAddr = GetCallerIP(httpRequest); - if (r.ExternalEndPoint.Address != ipAddr) + if (r.ExternalEndPoint.Address.ToString() != ipAddr.ToString()) { m_log.WarnFormat("[MAP IMAGE HANDLER]: IP address {0} may be trying to impersonate region in IP {1}", ipAddr, r.ExternalEndPoint.Address); return FailureResult("IP address of caller does not match IP address of registered region"); -- cgit v1.1 From 9bc94c502a8e30b0d727f15d0e4b4bb22d163d6c Mon Sep 17 00:00:00 2001 From: Diva Canto Date: Fri, 27 Apr 2012 11:05:40 -0700 Subject: MapImageService: changed the event at which the map tiles are uploaded, because they were being uploaded before the region was registered with the grid --- OpenSim/Server/Handlers/Map/MapAddServerConnector.cs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'OpenSim/Server/Handlers/Map/MapAddServerConnector.cs') diff --git a/OpenSim/Server/Handlers/Map/MapAddServerConnector.cs b/OpenSim/Server/Handlers/Map/MapAddServerConnector.cs index 8ba188d..4a61969 100644 --- a/OpenSim/Server/Handlers/Map/MapAddServerConnector.cs +++ b/OpenSim/Server/Handlers/Map/MapAddServerConnector.cs @@ -129,10 +129,10 @@ namespace OpenSim.Server.Handlers.MapImage if (m_GridService != null) { + System.Net.IPAddress ipAddr = GetCallerIP(httpRequest); GridRegion r = m_GridService.GetRegionByPosition(UUID.Zero, x * (int)Constants.RegionSize, y * (int)Constants.RegionSize); if (r != null) { - System.Net.IPAddress ipAddr = GetCallerIP(httpRequest); if (r.ExternalEndPoint.Address.ToString() != ipAddr.ToString()) { m_log.WarnFormat("[MAP IMAGE HANDLER]: IP address {0} may be trying to impersonate region in IP {1}", ipAddr, r.ExternalEndPoint.Address); @@ -143,7 +143,7 @@ namespace OpenSim.Server.Handlers.MapImage else { m_log.WarnFormat("[MAP IMAGE HANDLER]: IP address {0} may be rogue. Region not found at coordinates {1}-{2}", - httpRequest.RemoteIPEndPoint.Address, x, y); + ipAddr, x, y); return FailureResult("Region not found at given coordinates"); } } -- cgit v1.1