diff options
| author | Johan Berntsson | 2008-07-23 06:59:02 +0000 |
|---|---|---|
| committer | Johan Berntsson | 2008-07-23 06:59:02 +0000 |
| commit | 344c9caeb671f3d9dab80f05d18a7dc9f3075bc1 (patch) | |
| tree | 2c4d9fdd3d63384f009307f63eb6e0646e054593 /OpenSim/Grid | |
| parent | Enable LSL <-> C# source location mapping when reporing compiler errors to th... (diff) | |
| download | opensim-SC_OLD-344c9caeb671f3d9dab80f05d18a7dc9f3075bc1.zip opensim-SC_OLD-344c9caeb671f3d9dab80f05d18a7dc9f3075bc1.tar.gz opensim-SC_OLD-344c9caeb671f3d9dab80f05d18a7dc9f3075bc1.tar.bz2 opensim-SC_OLD-344c9caeb671f3d9dab80f05d18a7dc9f3075bc1.tar.xz | |
thanks lulurun for a security patch that blocks unathorized access to the inventory server (see http://opensimulator.org/wiki/Security_vulnerability_brought_by_non-check_inventory_service)
Diffstat (limited to 'OpenSim/Grid')
| -rw-r--r-- | OpenSim/Grid/InventoryServer/GridInventoryService.cs | 41 | ||||
| -rw-r--r-- | OpenSim/Grid/InventoryServer/Main.cs | 39 | ||||
| -rw-r--r-- | OpenSim/Grid/UserServer/Main.cs | 1 | ||||
| -rw-r--r-- | OpenSim/Grid/UserServer/UserManager.cs | 39 |
4 files changed, 101 insertions, 19 deletions
diff --git a/OpenSim/Grid/InventoryServer/GridInventoryService.cs b/OpenSim/Grid/InventoryServer/GridInventoryService.cs index 5388263..78f33a3 100644 --- a/OpenSim/Grid/InventoryServer/GridInventoryService.cs +++ b/OpenSim/Grid/InventoryServer/GridInventoryService.cs | |||
| @@ -26,12 +26,15 @@ | |||
| 26 | */ | 26 | */ |
| 27 | 27 | ||
| 28 | using System; | 28 | using System; |
| 29 | using System.Collections; | ||
| 29 | using System.Collections.Generic; | 30 | using System.Collections.Generic; |
| 30 | using System.Reflection; | 31 | using System.Reflection; |
| 31 | using System.Threading; | 32 | using System.Threading; |
| 33 | using System.Net; | ||
| 32 | 34 | ||
| 33 | using libsecondlife; | 35 | using libsecondlife; |
| 34 | using log4net; | 36 | using log4net; |
| 37 | using Nwc.XmlRpc; | ||
| 35 | 38 | ||
| 36 | using OpenSim.Framework; | 39 | using OpenSim.Framework; |
| 37 | using OpenSim.Framework.Communications; | 40 | using OpenSim.Framework.Communications; |
| @@ -46,6 +49,44 @@ namespace OpenSim.Grid.InventoryServer | |||
| 46 | private static readonly ILog m_log | 49 | private static readonly ILog m_log |
| 47 | = LogManager.GetLogger(MethodBase.GetCurrentMethod().DeclaringType); | 50 | = LogManager.GetLogger(MethodBase.GetCurrentMethod().DeclaringType); |
| 48 | 51 | ||
| 52 | private string m_userserver_url; | ||
| 53 | |||
| 54 | public GridInventoryService(string userserver_url) | ||
| 55 | { | ||
| 56 | m_userserver_url = userserver_url; | ||
| 57 | } | ||
| 58 | |||
| 59 | public bool CheckTrustSource(IPEndPoint peer) | ||
| 60 | { | ||
| 61 | m_log.InfoFormat("[GRID AGENT INVENTORY]: checking trusted source {0}", peer.ToString()); | ||
| 62 | UriBuilder ub = new UriBuilder(m_userserver_url); | ||
| 63 | if (ub.Host == peer.Address.ToString()) | ||
| 64 | { | ||
| 65 | return true; | ||
| 66 | } | ||
| 67 | return false; | ||
| 68 | } | ||
| 69 | |||
| 70 | public bool CheckAuthSession(string session_id, string avatar_id) | ||
| 71 | { | ||
| 72 | m_log.InfoFormat("[GRID AGENT INVENTORY]: checking authed session {0} {1}", session_id, avatar_id); | ||
| 73 | Hashtable requestData = new Hashtable(); | ||
| 74 | requestData["avatar_uuid"] = avatar_id; | ||
| 75 | requestData["session_id"] = session_id; | ||
| 76 | ArrayList SendParams = new ArrayList(); | ||
| 77 | SendParams.Add(requestData); | ||
| 78 | XmlRpcRequest UserReq = new XmlRpcRequest("check_auth_session", SendParams); | ||
| 79 | XmlRpcResponse UserResp = UserReq.Send(m_userserver_url, 3000); | ||
| 80 | |||
| 81 | Hashtable responseData = (Hashtable)UserResp.Value; | ||
| 82 | |||
| 83 | if (responseData.ContainsKey("auth_session") && responseData["auth_session"].ToString() == "TRUE") | ||
| 84 | { | ||
| 85 | return true; | ||
| 86 | } | ||
| 87 | return false; | ||
| 88 | } | ||
| 89 | |||
| 49 | public override void RequestInventoryForUser(LLUUID userID, InventoryReceiptCallback callback) | 90 | public override void RequestInventoryForUser(LLUUID userID, InventoryReceiptCallback callback) |
| 50 | { | 91 | { |
| 51 | } | 92 | } |
diff --git a/OpenSim/Grid/InventoryServer/Main.cs b/OpenSim/Grid/InventoryServer/Main.cs index 2ab1916..138aa1a 100644 --- a/OpenSim/Grid/InventoryServer/Main.cs +++ b/OpenSim/Grid/InventoryServer/Main.cs | |||
| @@ -70,7 +70,8 @@ namespace OpenSim.Grid.InventoryServer | |||
| 70 | 70 | ||
| 71 | m_config = new InventoryConfig(LogName, (Path.Combine(Util.configDir(), "InventoryServer_Config.xml"))); | 71 | m_config = new InventoryConfig(LogName, (Path.Combine(Util.configDir(), "InventoryServer_Config.xml"))); |
| 72 | 72 | ||
| 73 | m_inventoryService = new GridInventoryService(); | 73 | //m_inventoryService = new GridInventoryService(); |
| 74 | m_inventoryService = new GridInventoryService(m_config.UserServerURL); | ||
| 74 | m_inventoryService.AddPlugin(m_config.DatabaseProvider, m_config.DatabaseConnect); | 75 | m_inventoryService.AddPlugin(m_config.DatabaseProvider, m_config.DatabaseConnect); |
| 75 | 76 | ||
| 76 | m_log.Info("[" + LogName + "]: Starting HTTP server ..."); | 77 | m_log.Info("[" + LogName + "]: Starting HTTP server ..."); |
| @@ -85,36 +86,36 @@ namespace OpenSim.Grid.InventoryServer | |||
| 85 | protected void AddHttpHandlers() | 86 | protected void AddHttpHandlers() |
| 86 | { | 87 | { |
| 87 | m_httpServer.AddStreamHandler( | 88 | m_httpServer.AddStreamHandler( |
| 88 | new RestDeserialiseHandler<Guid, InventoryCollection>( | 89 | new RestDeserialiseSecureHandler<Guid, InventoryCollection>( |
| 89 | "POST", "/GetInventory/", m_inventoryService.GetUserInventory)); | 90 | "POST", "/GetInventory/", m_inventoryService.GetUserInventory, m_inventoryService.CheckAuthSession)); |
| 90 | 91 | ||
| 91 | m_httpServer.AddStreamHandler( | 92 | m_httpServer.AddStreamHandler( |
| 92 | new RestDeserialiseHandler<Guid, bool>( | 93 | new RestDeserialiseTrustedHandler<Guid, bool>( |
| 93 | "POST", "/CreateInventory/", m_inventoryService.CreateUsersInventory)); | 94 | "POST", "/CreateInventory/", m_inventoryService.CreateUsersInventory, m_inventoryService.CheckTrustSource)); |
| 94 | 95 | ||
| 95 | m_httpServer.AddStreamHandler( | 96 | m_httpServer.AddStreamHandler( |
| 96 | new RestDeserialiseHandler<InventoryFolderBase, bool>( | 97 | new RestDeserialiseSecureHandler<InventoryFolderBase, bool>( |
| 97 | "POST", "/NewFolder/", m_inventoryService.AddFolder)); | 98 | "POST", "/NewFolder/", m_inventoryService.AddFolder, m_inventoryService.CheckAuthSession)); |
| 98 | 99 | ||
| 99 | m_httpServer.AddStreamHandler( | 100 | m_httpServer.AddStreamHandler( |
| 100 | new RestDeserialiseHandler<InventoryFolderBase, bool>( | 101 | new RestDeserialiseSecureHandler<InventoryFolderBase, bool>( |
| 101 | "POST", "/UpdateFolder/", m_inventoryService.UpdateFolder)); | 102 | "POST", "/UpdateFolder/", m_inventoryService.UpdateFolder, m_inventoryService.CheckAuthSession)); |
| 102 | 103 | ||
| 103 | m_httpServer.AddStreamHandler( | 104 | m_httpServer.AddStreamHandler( |
| 104 | new RestDeserialiseHandler<InventoryFolderBase, bool>( | 105 | new RestDeserialiseSecureHandler<InventoryFolderBase, bool>( |
| 105 | "POST", "/MoveFolder/", m_inventoryService.MoveFolder)); | 106 | "POST", "/MoveFolder/", m_inventoryService.MoveFolder, m_inventoryService.CheckAuthSession)); |
| 106 | 107 | ||
| 107 | m_httpServer.AddStreamHandler( | 108 | m_httpServer.AddStreamHandler( |
| 108 | new RestDeserialiseHandler<InventoryFolderBase, bool>( | 109 | new RestDeserialiseSecureHandler<InventoryFolderBase, bool>( |
| 109 | "POST", "/PurgeFolder/", m_inventoryService.PurgeFolder)); | 110 | "POST", "/PurgeFolder/", m_inventoryService.PurgeFolder, m_inventoryService.CheckAuthSession)); |
| 110 | 111 | ||
| 111 | m_httpServer.AddStreamHandler( | 112 | m_httpServer.AddStreamHandler( |
| 112 | new RestDeserialiseHandler<InventoryItemBase, bool>( | 113 | new RestDeserialiseSecureHandler<InventoryItemBase, bool>( |
| 113 | "POST", "/NewItem/", m_inventoryService.AddItem)); | 114 | "POST", "/NewItem/", m_inventoryService.AddItem, m_inventoryService.CheckAuthSession)); |
| 114 | 115 | ||
| 115 | m_httpServer.AddStreamHandler( | 116 | m_httpServer.AddStreamHandler( |
| 116 | new RestDeserialiseHandler<InventoryItemBase, bool>( | 117 | new RestDeserialiseSecureHandler<InventoryItemBase, bool>( |
| 117 | "POST", "/DeleteItem/", m_inventoryService.DeleteItem)); | 118 | "POST", "/DeleteItem/", m_inventoryService.DeleteItem, m_inventoryService.CheckAuthSession)); |
| 118 | 119 | ||
| 119 | // WARNING: Root folders no longer just delivers the root and immediate child folders (e.g | 120 | // WARNING: Root folders no longer just delivers the root and immediate child folders (e.g |
| 120 | // system folders such as Objects, Textures), but it now returns the entire inventory skeleton. | 121 | // system folders such as Objects, Textures), but it now returns the entire inventory skeleton. |
| @@ -122,8 +123,8 @@ namespace OpenSim.Grid.InventoryServer | |||
| 122 | // (e.g. any http request not found is automatically treated as an xmlrpc request) make it easier | 123 | // (e.g. any http request not found is automatically treated as an xmlrpc request) make it easier |
| 123 | // to do this for now. | 124 | // to do this for now. |
| 124 | m_httpServer.AddStreamHandler( | 125 | m_httpServer.AddStreamHandler( |
| 125 | new RestDeserialiseHandler<Guid, List<InventoryFolderBase>> | 126 | new RestDeserialiseTrustedHandler<Guid, List<InventoryFolderBase>> |
| 126 | ("POST", "/RootFolders/", m_inventoryService.GetInventorySkeleton)); | 127 | ("POST", "/RootFolders/", m_inventoryService.GetInventorySkeleton, m_inventoryService.CheckTrustSource)); |
| 127 | } | 128 | } |
| 128 | 129 | ||
| 129 | private void Work() | 130 | private void Work() |
diff --git a/OpenSim/Grid/UserServer/Main.cs b/OpenSim/Grid/UserServer/Main.cs index c7011a9..30a41f4 100644 --- a/OpenSim/Grid/UserServer/Main.cs +++ b/OpenSim/Grid/UserServer/Main.cs | |||
| @@ -142,6 +142,7 @@ namespace OpenSim.Grid.UserServer | |||
| 142 | m_httpServer.AddXmlRPCHandler("update_user_current_region", m_userManager.XmlRPCAtRegion); | 142 | m_httpServer.AddXmlRPCHandler("update_user_current_region", m_userManager.XmlRPCAtRegion); |
| 143 | m_httpServer.AddXmlRPCHandler("logout_of_simulator", m_userManager.XmlRPCLogOffUserMethodUUID); | 143 | m_httpServer.AddXmlRPCHandler("logout_of_simulator", m_userManager.XmlRPCLogOffUserMethodUUID); |
| 144 | m_httpServer.AddXmlRPCHandler("get_agent_by_uuid", m_userManager.XmlRPCGetAgentMethodUUID); | 144 | m_httpServer.AddXmlRPCHandler("get_agent_by_uuid", m_userManager.XmlRPCGetAgentMethodUUID); |
| 145 | m_httpServer.AddXmlRPCHandler("check_auth_session", m_userManager.XmlRPCCheckAuthSession); | ||
| 145 | // Message Server ---> User Server | 146 | // Message Server ---> User Server |
| 146 | m_httpServer.AddXmlRPCHandler("register_messageserver", m_messagesService.XmlRPCRegisterMessageServer); | 147 | m_httpServer.AddXmlRPCHandler("register_messageserver", m_messagesService.XmlRPCRegisterMessageServer); |
| 147 | m_httpServer.AddXmlRPCHandler("agent_change_region", m_messagesService.XmlRPCUserMovedtoRegion); | 148 | m_httpServer.AddXmlRPCHandler("agent_change_region", m_messagesService.XmlRPCUserMovedtoRegion); |
diff --git a/OpenSim/Grid/UserServer/UserManager.cs b/OpenSim/Grid/UserServer/UserManager.cs index ff62d78..a43ade1 100644 --- a/OpenSim/Grid/UserServer/UserManager.cs +++ b/OpenSim/Grid/UserServer/UserManager.cs | |||
| @@ -457,6 +457,45 @@ namespace OpenSim.Grid.UserServer | |||
| 457 | return response; | 457 | return response; |
| 458 | } | 458 | } |
| 459 | 459 | ||
| 460 | public XmlRpcResponse XmlRPCCheckAuthSession(XmlRpcRequest request) | ||
| 461 | { | ||
| 462 | XmlRpcResponse response = new XmlRpcResponse(); | ||
| 463 | Hashtable requestData = (Hashtable)request.Params[0]; | ||
| 464 | UserProfileData userProfile; | ||
| 465 | |||
| 466 | string authed = "FALSE"; | ||
| 467 | if (requestData.Contains("avatar_uuid") && requestData.Contains("session_id")) | ||
| 468 | { | ||
| 469 | LLUUID guess_aid = LLUUID.Zero; | ||
| 470 | LLUUID guess_sid = LLUUID.Zero; | ||
| 471 | |||
| 472 | Helpers.TryParse((string)requestData["avatar_uuid"], out guess_aid); | ||
| 473 | if (guess_aid == LLUUID.Zero) | ||
| 474 | { | ||
| 475 | return CreateUnknownUserErrorResponse(); | ||
| 476 | } | ||
| 477 | Helpers.TryParse((string)requestData["session_id"], out guess_sid); | ||
| 478 | if (guess_sid == LLUUID.Zero) | ||
| 479 | { | ||
| 480 | return CreateUnknownUserErrorResponse(); | ||
| 481 | } | ||
| 482 | userProfile = GetUserProfile(guess_aid); | ||
| 483 | if (userProfile != null && userProfile.CurrentAgent != null && userProfile.CurrentAgent.SessionID == guess_sid) | ||
| 484 | { | ||
| 485 | authed = "TRUE"; | ||
| 486 | } | ||
| 487 | m_log.InfoFormat("[UserManager]: CheckAuthSession TRUE for user {0}", guess_aid); | ||
| 488 | } | ||
| 489 | else | ||
| 490 | { | ||
| 491 | m_log.InfoFormat("[UserManager]: CheckAuthSession FALSE"); | ||
| 492 | return CreateUnknownUserErrorResponse(); | ||
| 493 | } | ||
| 494 | Hashtable responseData = new Hashtable(); | ||
| 495 | responseData["auth_session"] = authed; | ||
| 496 | response.Value = responseData; | ||
| 497 | return response; | ||
| 498 | } | ||
| 460 | 499 | ||
| 461 | public XmlRpcResponse XmlRpcResponseXmlRPCUpdateUserProfile(XmlRpcRequest request) | 500 | public XmlRpcResponse XmlRpcResponseXmlRPCUpdateUserProfile(XmlRpcRequest request) |
| 462 | { | 501 | { |