Patches #9143 and #9144 (Mantis #1723)

Changes the permissions module to make scripts permissive only when intended
Adds security checks to asset transfers to prevent hacked clients fron
requesting script sources.
Adds security checks to llClientView to verify all aspects of ownership
and permissions for inventory based script retrieval.

1 files changed, 8 insertions, 1 deletions

diff --git a/OpenSim/Framework/Communications/Cache/AssetCache.cs b/OpenSim/Framework/Communications/Cache/AssetCache.cs
index d0bcc98..90b0a10 100644
--- a/OpenSim/Framework/Communications/Cache/AssetCache.cs
+++ b/OpenSim/Framework/Communications/Cache/AssetCache.cs
@@ -445,7 +445,10 @@ namespace OpenSim.Framework.Communications.Cache
                         req.NumPackets = CalculateNumPackets(assetInf.Data);
 
                         RequestedAssets.Remove(assetInf.FullID);
-                        AssetRequests.Add(req);
+                        // If it's a direct request for a script, drop it
+                        // because it's a hacked client
+                        if(req.AssetRequestSource != 2 || assetInf.Type != 10)
+                            AssetRequests.Add(req);
                     }
                 }
             }
@@ -609,6 +612,10 @@ namespace OpenSim.Framework.Communications.Cache
                 return;
             }
 
+            // Scripts cannot be retrieved by direct request
+            if (transferRequest.TransferInfo.SourceType == 2 && asset.Type == 10)
+                return;
+
             // The asset is knosn to exist and is in our cache, so add it to the AssetRequests list
             AssetRequest req = new AssetRequest();
             req.RequestUser = userInfo;