thanks lulurun for a security patch that blocks unathorized access to the inventory server (see http://opensimulator.org/wiki/Security_vulnerability_brought_by_non-check_inventory_service)

author: Johan Berntsson 2008-07-23 06:59:02 +0000
committer: Johan Berntsson 2008-07-23 06:59:02 +0000
commit: 344c9caeb671f3d9dab80f05d18a7dc9f3075bc1 (patch)
tree: 2c4d9fdd3d63384f009307f63eb6e0646e054593 /OpenSim/Grid/UserServer
parent: Enable LSL <-> C# source location mapping when reporing compiler errors to th... (diff)
download: opensim-SC_OLD-344c9caeb671f3d9dab80f05d18a7dc9f3075bc1.zip
opensim-SC_OLD-344c9caeb671f3d9dab80f05d18a7dc9f3075bc1.tar.gz
opensim-SC_OLD-344c9caeb671f3d9dab80f05d18a7dc9f3075bc1.tar.bz2
opensim-SC_OLD-344c9caeb671f3d9dab80f05d18a7dc9f3075bc1.tar.xz
2 files changed, 40 insertions, 0 deletions
diff --git a/OpenSim/Grid/UserServer/Main.cs b/OpenSim/Grid/UserServer/Main.cs
index c7011a9..30a41f4 100644
--- a/OpenSim/Grid/UserServer/Main.cs
+++ b/OpenSim/Grid/UserServer/Main.cs
@@ -142,6 +142,7 @@ namespace OpenSim.Grid.UserServer
            m_httpServer.AddXmlRPCHandler("update_user_current_region", m_userManager.XmlRPCAtRegion);
            m_httpServer.AddXmlRPCHandler("logout_of_simulator", m_userManager.XmlRPCLogOffUserMethodUUID);
            m_httpServer.AddXmlRPCHandler("get_agent_by_uuid", m_userManager.XmlRPCGetAgentMethodUUID);
+            m_httpServer.AddXmlRPCHandler("check_auth_session", m_userManager.XmlRPCCheckAuthSession);
            // Message Server ---> User Server
            m_httpServer.AddXmlRPCHandler("register_messageserver", m_messagesService.XmlRPCRegisterMessageServer);
            m_httpServer.AddXmlRPCHandler("agent_change_region", m_messagesService.XmlRPCUserMovedtoRegion);
diff --git a/OpenSim/Grid/UserServer/UserManager.cs b/OpenSim/Grid/UserServer/UserManager.cs
index ff62d78..a43ade1 100644
--- a/OpenSim/Grid/UserServer/UserManager.cs
+++ b/OpenSim/Grid/UserServer/UserManager.cs
@@ -457,6 +457,45 @@ namespace OpenSim.Grid.UserServer
            return response;
        }
+        public XmlRpcResponse XmlRPCCheckAuthSession(XmlRpcRequest request)
+        {
+            XmlRpcResponse response = new XmlRpcResponse();
+            Hashtable requestData = (Hashtable)request.Params[0];
+            UserProfileData userProfile;
+            string authed = "FALSE";
+            if (requestData.Contains("avatar_uuid") && requestData.Contains("session_id"))
+            {
+                LLUUID guess_aid = LLUUID.Zero;
+                LLUUID guess_sid = LLUUID.Zero;
+                Helpers.TryParse((string)requestData["avatar_uuid"], out guess_aid);
+                if (guess_aid == LLUUID.Zero)
+                {
+                    return CreateUnknownUserErrorResponse();
+                }
+                Helpers.TryParse((string)requestData["session_id"], out guess_sid);
+                if (guess_sid == LLUUID.Zero)
+                {
+                    return CreateUnknownUserErrorResponse();
+                }
+                userProfile = GetUserProfile(guess_aid);
+                if (userProfile != null && userProfile.CurrentAgent != null && userProfile.CurrentAgent.SessionID == guess_sid)
+                {
+                    authed = "TRUE";
+                }
+                m_log.InfoFormat("[UserManager]: CheckAuthSession TRUE for user {0}", guess_aid);
+            }
+            else
+            {
+                m_log.InfoFormat("[UserManager]: CheckAuthSession FALSE");
+                return CreateUnknownUserErrorResponse();
+            }
+            Hashtable responseData = new Hashtable();
+            responseData["auth_session"] = authed;
+            response.Value = responseData;
+            return response;
+        }
        public XmlRpcResponse XmlRpcResponseXmlRPCUpdateUserProfile(XmlRpcRequest request)
        {
author	Johan Berntsson	2008-07-23 06:59:02 +0000
committer	Johan Berntsson	2008-07-23 06:59:02 +0000
commit	344c9caeb671f3d9dab80f05d18a7dc9f3075bc1 (patch)
tree	2c4d9fdd3d63384f009307f63eb6e0646e054593 /OpenSim/Grid/UserServer
parent	Enable LSL <-> C# source location mapping when reporing compiler errors to th... (diff)
download	opensim-SC_OLD-344c9caeb671f3d9dab80f05d18a7dc9f3075bc1.zip opensim-SC_OLD-344c9caeb671f3d9dab80f05d18a7dc9f3075bc1.tar.gz opensim-SC_OLD-344c9caeb671f3d9dab80f05d18a7dc9f3075bc1.tar.bz2 opensim-SC_OLD-344c9caeb671f3d9dab80f05d18a7dc9f3075bc1.tar.xz

diff --git a/OpenSim/Grid/UserServer/Main.cs b/OpenSim/Grid/UserServer/Main.cs index c7011a9..30a41f4 100644 --- a/OpenSim/Grid/UserServer/Main.cs +++ b/OpenSim/Grid/UserServer/Main.cs
@@ -142,6 +142,7 @@ namespace OpenSim.Grid.UserServer
142	m_httpServer.AddXmlRPCHandler("update_user_current_region", m_userManager.XmlRPCAtRegion);	142	m_httpServer.AddXmlRPCHandler("update_user_current_region", m_userManager.XmlRPCAtRegion);
143	m_httpServer.AddXmlRPCHandler("logout_of_simulator", m_userManager.XmlRPCLogOffUserMethodUUID);	143	m_httpServer.AddXmlRPCHandler("logout_of_simulator", m_userManager.XmlRPCLogOffUserMethodUUID);
144	m_httpServer.AddXmlRPCHandler("get_agent_by_uuid", m_userManager.XmlRPCGetAgentMethodUUID);	144	m_httpServer.AddXmlRPCHandler("get_agent_by_uuid", m_userManager.XmlRPCGetAgentMethodUUID);
		145	m_httpServer.AddXmlRPCHandler("check_auth_session", m_userManager.XmlRPCCheckAuthSession);
145	// Message Server ---> User Server	146	// Message Server ---> User Server
146	m_httpServer.AddXmlRPCHandler("register_messageserver", m_messagesService.XmlRPCRegisterMessageServer);	147	m_httpServer.AddXmlRPCHandler("register_messageserver", m_messagesService.XmlRPCRegisterMessageServer);
147	m_httpServer.AddXmlRPCHandler("agent_change_region", m_messagesService.XmlRPCUserMovedtoRegion);	148	m_httpServer.AddXmlRPCHandler("agent_change_region", m_messagesService.XmlRPCUserMovedtoRegion);


diff --git a/OpenSim/Grid/UserServer/UserManager.cs b/OpenSim/Grid/UserServer/UserManager.cs index ff62d78..a43ade1 100644 --- a/OpenSim/Grid/UserServer/UserManager.cs +++ b/OpenSim/Grid/UserServer/UserManager.cs
@@ -457,6 +457,45 @@ namespace OpenSim.Grid.UserServer
457	return response;	457	return response;
458	}	458	}
459		459
		460	public XmlRpcResponse XmlRPCCheckAuthSession(XmlRpcRequest request)
		461	{
		462	XmlRpcResponse response = new XmlRpcResponse();
		463	Hashtable requestData = (Hashtable)request.Params[0];
		464	UserProfileData userProfile;
		465
		466	string authed = "FALSE";
		467	if (requestData.Contains("avatar_uuid") && requestData.Contains("session_id"))
		468	{
		469	LLUUID guess_aid = LLUUID.Zero;
		470	LLUUID guess_sid = LLUUID.Zero;
		471
		472	Helpers.TryParse((string)requestData["avatar_uuid"], out guess_aid);
		473	if (guess_aid == LLUUID.Zero)
		474	{
		475	return CreateUnknownUserErrorResponse();
		476	}
		477	Helpers.TryParse((string)requestData["session_id"], out guess_sid);
		478	if (guess_sid == LLUUID.Zero)
		479	{
		480	return CreateUnknownUserErrorResponse();
		481	}
		482	userProfile = GetUserProfile(guess_aid);
		483	if (userProfile != null && userProfile.CurrentAgent != null && userProfile.CurrentAgent.SessionID == guess_sid)
		484	{
		485	authed = "TRUE";
		486	}
		487	m_log.InfoFormat("[UserManager]: CheckAuthSession TRUE for user {0}", guess_aid);
		488	}
		489	else
		490	{
		491	m_log.InfoFormat("[UserManager]: CheckAuthSession FALSE");
		492	return CreateUnknownUserErrorResponse();
		493	}
		494	Hashtable responseData = new Hashtable();
		495	responseData["auth_session"] = authed;
		496	response.Value = responseData;
		497	return response;
		498	}
460		499
461	public XmlRpcResponse XmlRpcResponseXmlRPCUpdateUserProfile(XmlRpcRequest request)	500	public XmlRpcResponse XmlRpcResponseXmlRPCUpdateUserProfile(XmlRpcRequest request)
462	{	501	{