diff options
Adds session authentication upon NewUserConnections. Adds user key authentication (in safemode only) upon CreateChildAgents. All of this for Hypergrid users too. This addresses assorted spoofing vulnerabilities.
Diffstat (limited to 'OpenSim/Grid/UserServer.Modules/UserManager.cs')
| -rw-r--r-- | OpenSim/Grid/UserServer.Modules/UserManager.cs | 85 |
1 files changed, 14 insertions, 71 deletions
diff --git a/OpenSim/Grid/UserServer.Modules/UserManager.cs b/OpenSim/Grid/UserServer.Modules/UserManager.cs index 515c2bf..33b43e4 100644 --- a/OpenSim/Grid/UserServer.Modules/UserManager.cs +++ b/OpenSim/Grid/UserServer.Modules/UserManager.cs | |||
| @@ -109,7 +109,6 @@ namespace OpenSim.Grid.UserServer.Modules | |||
| 109 | m_httpServer.AddXmlRPCHandler("update_user_current_region", XmlRPCAtRegion); | 109 | m_httpServer.AddXmlRPCHandler("update_user_current_region", XmlRPCAtRegion); |
| 110 | m_httpServer.AddXmlRPCHandler("logout_of_simulator", XmlRPCLogOffUserMethodUUID); | 110 | m_httpServer.AddXmlRPCHandler("logout_of_simulator", XmlRPCLogOffUserMethodUUID); |
| 111 | m_httpServer.AddXmlRPCHandler("get_agent_by_uuid", XmlRPCGetAgentMethodUUID); | 111 | m_httpServer.AddXmlRPCHandler("get_agent_by_uuid", XmlRPCGetAgentMethodUUID); |
| 112 | m_httpServer.AddXmlRPCHandler("check_auth_session", XmlRPCCheckAuthSession); | ||
| 113 | 112 | ||
| 114 | m_httpServer.AddXmlRPCHandler("update_user_profile", XmlRpcResponseXmlRPCUpdateUserProfile); | 113 | m_httpServer.AddXmlRPCHandler("update_user_profile", XmlRpcResponseXmlRPCUpdateUserProfile); |
| 115 | 114 | ||
| @@ -133,21 +132,6 @@ namespace OpenSim.Grid.UserServer.Modules | |||
| 133 | return "OK"; | 132 | return "OK"; |
| 134 | } | 133 | } |
| 135 | 134 | ||
| 136 | /// <summary> | ||
| 137 | /// Returns an error message that the user could not be found in the database | ||
| 138 | /// </summary> | ||
| 139 | /// <returns>XML string consisting of a error element containing individual error(s)</returns> | ||
| 140 | public XmlRpcResponse CreateUnknownUserErrorResponse() | ||
| 141 | { | ||
| 142 | XmlRpcResponse response = new XmlRpcResponse(); | ||
| 143 | Hashtable responseData = new Hashtable(); | ||
| 144 | responseData["error_type"] = "unknown_user"; | ||
| 145 | responseData["error_desc"] = "The user requested is not in the database"; | ||
| 146 | |||
| 147 | response.Value = responseData; | ||
| 148 | return response; | ||
| 149 | } | ||
| 150 | |||
| 151 | public XmlRpcResponse AvatarPickerListtoXmlRPCResponse(UUID queryID, List<AvatarPickerAvatar> returnUsers) | 135 | public XmlRpcResponse AvatarPickerListtoXmlRPCResponse(UUID queryID, List<AvatarPickerAvatar> returnUsers) |
| 152 | { | 136 | { |
| 153 | XmlRpcResponse response = new XmlRpcResponse(); | 137 | XmlRpcResponse response = new XmlRpcResponse(); |
| @@ -278,7 +262,7 @@ namespace OpenSim.Grid.UserServer.Modules | |||
| 278 | string query = (string)requestData["avatar_name"]; | 262 | string query = (string)requestData["avatar_name"]; |
| 279 | 263 | ||
| 280 | if (null == query) | 264 | if (null == query) |
| 281 | return CreateUnknownUserErrorResponse(); | 265 | return Util.CreateUnknownUserErrorResponse(); |
| 282 | 266 | ||
| 283 | // Regex objAlphaNumericPattern = new Regex("[^a-zA-Z0-9]"); | 267 | // Regex objAlphaNumericPattern = new Regex("[^a-zA-Z0-9]"); |
| 284 | 268 | ||
| @@ -289,17 +273,17 @@ namespace OpenSim.Grid.UserServer.Modules | |||
| 289 | userProfile = m_userDataBaseService.GetUserProfile(querysplit[0], querysplit[1]); | 273 | userProfile = m_userDataBaseService.GetUserProfile(querysplit[0], querysplit[1]); |
| 290 | if (userProfile == null) | 274 | if (userProfile == null) |
| 291 | { | 275 | { |
| 292 | return CreateUnknownUserErrorResponse(); | 276 | return Util.CreateUnknownUserErrorResponse(); |
| 293 | } | 277 | } |
| 294 | } | 278 | } |
| 295 | else | 279 | else |
| 296 | { | 280 | { |
| 297 | return CreateUnknownUserErrorResponse(); | 281 | return Util.CreateUnknownUserErrorResponse(); |
| 298 | } | 282 | } |
| 299 | } | 283 | } |
| 300 | else | 284 | else |
| 301 | { | 285 | { |
| 302 | return CreateUnknownUserErrorResponse(); | 286 | return Util.CreateUnknownUserErrorResponse(); |
| 303 | } | 287 | } |
| 304 | 288 | ||
| 305 | return ProfileToXmlRPCResponse(userProfile); | 289 | return ProfileToXmlRPCResponse(userProfile); |
| @@ -322,17 +306,17 @@ namespace OpenSim.Grid.UserServer.Modules | |||
| 322 | } | 306 | } |
| 323 | catch (FormatException) | 307 | catch (FormatException) |
| 324 | { | 308 | { |
| 325 | return CreateUnknownUserErrorResponse(); | 309 | return Util.CreateUnknownUserErrorResponse(); |
| 326 | } | 310 | } |
| 327 | 311 | ||
| 328 | if (userProfile == null) | 312 | if (userProfile == null) |
| 329 | { | 313 | { |
| 330 | return CreateUnknownUserErrorResponse(); | 314 | return Util.CreateUnknownUserErrorResponse(); |
| 331 | } | 315 | } |
| 332 | } | 316 | } |
| 333 | else | 317 | else |
| 334 | { | 318 | { |
| 335 | return CreateUnknownUserErrorResponse(); | 319 | return Util.CreateUnknownUserErrorResponse(); |
| 336 | } | 320 | } |
| 337 | 321 | ||
| 338 | return ProfileToXmlRPCResponse(userProfile); | 322 | return ProfileToXmlRPCResponse(userProfile); |
| @@ -353,20 +337,20 @@ namespace OpenSim.Grid.UserServer.Modules | |||
| 353 | 337 | ||
| 354 | if (guess == UUID.Zero) | 338 | if (guess == UUID.Zero) |
| 355 | { | 339 | { |
| 356 | return CreateUnknownUserErrorResponse(); | 340 | return Util.CreateUnknownUserErrorResponse(); |
| 357 | } | 341 | } |
| 358 | 342 | ||
| 359 | userProfile = m_userDataBaseService.GetUserProfile(guess); | 343 | userProfile = m_userDataBaseService.GetUserProfile(guess); |
| 360 | 344 | ||
| 361 | if (userProfile == null) | 345 | if (userProfile == null) |
| 362 | { | 346 | { |
| 363 | return CreateUnknownUserErrorResponse(); | 347 | return Util.CreateUnknownUserErrorResponse(); |
| 364 | } | 348 | } |
| 365 | 349 | ||
| 366 | // no agent??? | 350 | // no agent??? |
| 367 | if (userProfile.CurrentAgent == null) | 351 | if (userProfile.CurrentAgent == null) |
| 368 | { | 352 | { |
| 369 | return CreateUnknownUserErrorResponse(); | 353 | return Util.CreateUnknownUserErrorResponse(); |
| 370 | } | 354 | } |
| 371 | Hashtable responseData = new Hashtable(); | 355 | Hashtable responseData = new Hashtable(); |
| 372 | 356 | ||
| @@ -381,53 +365,12 @@ namespace OpenSim.Grid.UserServer.Modules | |||
| 381 | } | 365 | } |
| 382 | else | 366 | else |
| 383 | { | 367 | { |
| 384 | return CreateUnknownUserErrorResponse(); | 368 | return Util.CreateUnknownUserErrorResponse(); |
| 385 | } | 369 | } |
| 386 | 370 | ||
| 387 | return response; | 371 | return response; |
| 388 | } | 372 | } |
| 389 | 373 | ||
| 390 | public XmlRpcResponse XmlRPCCheckAuthSession(XmlRpcRequest request) | ||
| 391 | { | ||
| 392 | XmlRpcResponse response = new XmlRpcResponse(); | ||
| 393 | Hashtable requestData = (Hashtable)request.Params[0]; | ||
| 394 | UserProfileData userProfile; | ||
| 395 | |||
| 396 | string authed = "FALSE"; | ||
| 397 | if (requestData.Contains("avatar_uuid") && requestData.Contains("session_id")) | ||
| 398 | { | ||
| 399 | UUID guess_aid; | ||
| 400 | UUID guess_sid; | ||
| 401 | |||
| 402 | UUID.TryParse((string)requestData["avatar_uuid"], out guess_aid); | ||
| 403 | if (guess_aid == UUID.Zero) | ||
| 404 | { | ||
| 405 | return CreateUnknownUserErrorResponse(); | ||
| 406 | } | ||
| 407 | UUID.TryParse((string)requestData["session_id"], out guess_sid); | ||
| 408 | if (guess_sid == UUID.Zero) | ||
| 409 | { | ||
| 410 | return CreateUnknownUserErrorResponse(); | ||
| 411 | } | ||
| 412 | userProfile = m_userDataBaseService.GetUserProfile(guess_aid); | ||
| 413 | if (userProfile != null && userProfile.CurrentAgent != null && | ||
| 414 | userProfile.CurrentAgent.SessionID == guess_sid) | ||
| 415 | { | ||
| 416 | authed = "TRUE"; | ||
| 417 | } | ||
| 418 | m_log.InfoFormat("[UserManager]: CheckAuthSession TRUE for user {0}", guess_aid); | ||
| 419 | } | ||
| 420 | else | ||
| 421 | { | ||
| 422 | m_log.InfoFormat("[UserManager]: CheckAuthSession FALSE"); | ||
| 423 | return CreateUnknownUserErrorResponse(); | ||
| 424 | } | ||
| 425 | Hashtable responseData = new Hashtable(); | ||
| 426 | responseData["auth_session"] = authed; | ||
| 427 | response.Value = responseData; | ||
| 428 | return response; | ||
| 429 | } | ||
| 430 | |||
| 431 | public XmlRpcResponse XmlRpcResponseXmlRPCUpdateUserProfile(XmlRpcRequest request) | 374 | public XmlRpcResponse XmlRpcResponseXmlRPCUpdateUserProfile(XmlRpcRequest request) |
| 432 | { | 375 | { |
| 433 | m_log.Debug("[UserManager]: Got request to update user profile"); | 376 | m_log.Debug("[UserManager]: Got request to update user profile"); |
| @@ -437,14 +380,14 @@ namespace OpenSim.Grid.UserServer.Modules | |||
| 437 | 380 | ||
| 438 | if (!requestData.Contains("avatar_uuid")) | 381 | if (!requestData.Contains("avatar_uuid")) |
| 439 | { | 382 | { |
| 440 | return CreateUnknownUserErrorResponse(); | 383 | return Util.CreateUnknownUserErrorResponse(); |
| 441 | } | 384 | } |
| 442 | 385 | ||
| 443 | UUID UserUUID = new UUID((string)requestData["avatar_uuid"]); | 386 | UUID UserUUID = new UUID((string)requestData["avatar_uuid"]); |
| 444 | UserProfileData userProfile = m_userDataBaseService.GetUserProfile(UserUUID); | 387 | UserProfileData userProfile = m_userDataBaseService.GetUserProfile(UserUUID); |
| 445 | if (null == userProfile) | 388 | if (null == userProfile) |
| 446 | { | 389 | { |
| 447 | return CreateUnknownUserErrorResponse(); | 390 | return Util.CreateUnknownUserErrorResponse(); |
| 448 | } | 391 | } |
| 449 | // don't know how yet. | 392 | // don't know how yet. |
| 450 | if (requestData.Contains("AllowPublish")) | 393 | if (requestData.Contains("AllowPublish")) |
| @@ -656,7 +599,7 @@ namespace OpenSim.Grid.UserServer.Modules | |||
| 656 | } | 599 | } |
| 657 | else | 600 | else |
| 658 | { | 601 | { |
| 659 | return CreateUnknownUserErrorResponse(); | 602 | return Util.CreateUnknownUserErrorResponse(); |
| 660 | } | 603 | } |
| 661 | 604 | ||
| 662 | return response; | 605 | return response; |