thanks lulurun for a security patch that blocks unathorized access to the inventory server (see http://opensimulator.org/wiki/Security_vulnerability_brought_by_non-check_inventory_service)

2 files changed, 61 insertions, 19 deletions

diff --git a/OpenSim/Grid/InventoryServer/GridInventoryService.cs b/OpenSim/Grid/InventoryServer/GridInventoryService.cs
index 5388263..78f33a3 100644
--- a/OpenSim/Grid/InventoryServer/GridInventoryService.cs
+++ b/OpenSim/Grid/InventoryServer/GridInventoryService.cs
@@ -26,12 +26,15 @@
  */
 
 using System;
+using System.Collections;
 using System.Collections.Generic;
 using System.Reflection;
 using System.Threading;
+using System.Net;
 
 using libsecondlife;
 using log4net;
+using Nwc.XmlRpc;
 
 using OpenSim.Framework;
 using OpenSim.Framework.Communications;
@@ -46,6 +49,44 @@ namespace OpenSim.Grid.InventoryServer
         private static readonly ILog m_log
             = LogManager.GetLogger(MethodBase.GetCurrentMethod().DeclaringType);
 
+        private string m_userserver_url;
+
+        public GridInventoryService(string userserver_url)
+        {
+            m_userserver_url = userserver_url;
+        }
+
+        public bool CheckTrustSource(IPEndPoint peer)
+        {
+            m_log.InfoFormat("[GRID AGENT INVENTORY]: checking trusted source {0}", peer.ToString());
+            UriBuilder ub = new UriBuilder(m_userserver_url);
+            if (ub.Host == peer.Address.ToString())
+            {
+                return true;
+            }
+            return false;
+        }
+
+        public bool CheckAuthSession(string session_id, string avatar_id)
+        {
+            m_log.InfoFormat("[GRID AGENT INVENTORY]: checking authed session {0} {1}", session_id, avatar_id);
+            Hashtable requestData = new Hashtable();
+            requestData["avatar_uuid"] = avatar_id;
+            requestData["session_id"] = session_id;
+            ArrayList SendParams = new ArrayList();
+            SendParams.Add(requestData);
+            XmlRpcRequest UserReq = new XmlRpcRequest("check_auth_session", SendParams);
+            XmlRpcResponse UserResp = UserReq.Send(m_userserver_url, 3000);
+
+            Hashtable responseData = (Hashtable)UserResp.Value;
+
+            if (responseData.ContainsKey("auth_session") && responseData["auth_session"].ToString() == "TRUE")
+            {
+                return true;
+            }
+            return false;
+        }
+
         public override void RequestInventoryForUser(LLUUID userID, InventoryReceiptCallback callback)
         {
         }
diff --git a/OpenSim/Grid/InventoryServer/Main.cs b/OpenSim/Grid/InventoryServer/Main.cs
index 2ab1916..138aa1a 100644
--- a/OpenSim/Grid/InventoryServer/Main.cs
+++ b/OpenSim/Grid/InventoryServer/Main.cs
@@ -70,7 +70,8 @@ namespace OpenSim.Grid.InventoryServer
             
             m_config = new InventoryConfig(LogName, (Path.Combine(Util.configDir(), "InventoryServer_Config.xml")));
 
-            m_inventoryService = new GridInventoryService();
+            //m_inventoryService = new GridInventoryService();
+            m_inventoryService = new GridInventoryService(m_config.UserServerURL);
             m_inventoryService.AddPlugin(m_config.DatabaseProvider, m_config.DatabaseConnect);
 
             m_log.Info("[" + LogName + "]: Starting HTTP server ...");
@@ -85,36 +86,36 @@ namespace OpenSim.Grid.InventoryServer
         protected void AddHttpHandlers()
         {
             m_httpServer.AddStreamHandler(
-                new RestDeserialiseHandler<Guid, InventoryCollection>(
-                    "POST", "/GetInventory/", m_inventoryService.GetUserInventory));
+                new RestDeserialiseSecureHandler<Guid, InventoryCollection>(
+                    "POST", "/GetInventory/", m_inventoryService.GetUserInventory, m_inventoryService.CheckAuthSession));
 
             m_httpServer.AddStreamHandler(
-                new RestDeserialiseHandler<Guid, bool>(
-                    "POST", "/CreateInventory/", m_inventoryService.CreateUsersInventory));
+                new RestDeserialiseTrustedHandler<Guid, bool>(
+                    "POST", "/CreateInventory/", m_inventoryService.CreateUsersInventory, m_inventoryService.CheckTrustSource));
 
             m_httpServer.AddStreamHandler(
-                new RestDeserialiseHandler<InventoryFolderBase, bool>(
-                    "POST", "/NewFolder/", m_inventoryService.AddFolder));
+                new RestDeserialiseSecureHandler<InventoryFolderBase, bool>(
+                    "POST", "/NewFolder/", m_inventoryService.AddFolder, m_inventoryService.CheckAuthSession));
 
             m_httpServer.AddStreamHandler(
-                new RestDeserialiseHandler<InventoryFolderBase, bool>(
-                    "POST", "/UpdateFolder/", m_inventoryService.UpdateFolder));
+                new RestDeserialiseSecureHandler<InventoryFolderBase, bool>(
+                    "POST", "/UpdateFolder/", m_inventoryService.UpdateFolder, m_inventoryService.CheckAuthSession));
 
             m_httpServer.AddStreamHandler(
-                new RestDeserialiseHandler<InventoryFolderBase, bool>(
-                    "POST", "/MoveFolder/", m_inventoryService.MoveFolder));
+                new RestDeserialiseSecureHandler<InventoryFolderBase, bool>(
+                    "POST", "/MoveFolder/", m_inventoryService.MoveFolder, m_inventoryService.CheckAuthSession));
 
             m_httpServer.AddStreamHandler(
-                new RestDeserialiseHandler<InventoryFolderBase, bool>(
-                    "POST", "/PurgeFolder/", m_inventoryService.PurgeFolder));
+                new RestDeserialiseSecureHandler<InventoryFolderBase, bool>(
+                    "POST", "/PurgeFolder/", m_inventoryService.PurgeFolder, m_inventoryService.CheckAuthSession));
 
             m_httpServer.AddStreamHandler(
-                new RestDeserialiseHandler<InventoryItemBase, bool>(
-                    "POST", "/NewItem/", m_inventoryService.AddItem));
+                new RestDeserialiseSecureHandler<InventoryItemBase, bool>(
+                    "POST", "/NewItem/", m_inventoryService.AddItem, m_inventoryService.CheckAuthSession));
 
             m_httpServer.AddStreamHandler(
-                new RestDeserialiseHandler<InventoryItemBase, bool>(
-                    "POST", "/DeleteItem/", m_inventoryService.DeleteItem));
+                new RestDeserialiseSecureHandler<InventoryItemBase, bool>(
+                    "POST", "/DeleteItem/", m_inventoryService.DeleteItem, m_inventoryService.CheckAuthSession));
 
             // WARNING: Root folders no longer just delivers the root and immediate child folders (e.g
             // system folders such as Objects, Textures), but it now returns the entire inventory skeleton.
@@ -122,8 +123,8 @@ namespace OpenSim.Grid.InventoryServer
             // (e.g. any http request not found is automatically treated as an xmlrpc request) make it easier
             // to do this for now.
             m_httpServer.AddStreamHandler(
-                new RestDeserialiseHandler<Guid, List<InventoryFolderBase>>
-                    ("POST", "/RootFolders/", m_inventoryService.GetInventorySkeleton));
+                new RestDeserialiseTrustedHandler<Guid, List<InventoryFolderBase>>
+                    ("POST", "/RootFolders/", m_inventoryService.GetInventorySkeleton, m_inventoryService.CheckTrustSource));
         }
 
         private void Work()