aboutsummaryrefslogtreecommitdiffstatshomepage
path: root/OpenSim/Region/Framework/Scenes/Scene.Inventory.cs
diff options
context:
space:
mode:
authorMelanie Thielker2010-07-15 20:03:08 +0200
committerMelanie2010-07-20 21:00:56 +0100
commit78605baab330f850f1b47d205b4041d59080a00c (patch)
treecb6c0d2b836260cd568b45c5bdc4dca203c080a7 /OpenSim/Region/Framework/Scenes/Scene.Inventory.cs
parentadjust DialogModule to only send broadcast alerts to root agents (diff)
downloadopensim-SC_OLD-78605baab330f850f1b47d205b4041d59080a00c.zip
opensim-SC_OLD-78605baab330f850f1b47d205b4041d59080a00c.tar.gz
opensim-SC_OLD-78605baab330f850f1b47d205b4041d59080a00c.tar.bz2
opensim-SC_OLD-78605baab330f850f1b47d205b4041d59080a00c.tar.xz
Fix a few permissions vulnerability. Owners could cause permissions
escalation on items contained in prims using a hacked viewer
Diffstat (limited to 'OpenSim/Region/Framework/Scenes/Scene.Inventory.cs')
-rw-r--r--OpenSim/Region/Framework/Scenes/Scene.Inventory.cs35
1 files changed, 32 insertions, 3 deletions
diff --git a/OpenSim/Region/Framework/Scenes/Scene.Inventory.cs b/OpenSim/Region/Framework/Scenes/Scene.Inventory.cs
index 6e73fe9..1bb7075 100644
--- a/OpenSim/Region/Framework/Scenes/Scene.Inventory.cs
+++ b/OpenSim/Region/Framework/Scenes/Scene.Inventory.cs
@@ -1340,16 +1340,45 @@ namespace OpenSim.Region.Framework.Scenes
1340 { 1340 {
1341 agentTransactions.HandleTaskItemUpdateFromTransaction( 1341 agentTransactions.HandleTaskItemUpdateFromTransaction(
1342 remoteClient, part, transactionID, currentItem); 1342 remoteClient, part, transactionID, currentItem);
1343 } 1343
1344 if (part.Inventory.UpdateInventoryItem(itemInfo))
1345 {
1346 if ((InventoryType)itemInfo.InvType == InventoryType.Notecard) 1344 if ((InventoryType)itemInfo.InvType == InventoryType.Notecard)
1347 remoteClient.SendAgentAlertMessage("Notecard saved", false); 1345 remoteClient.SendAgentAlertMessage("Notecard saved", false);
1348 else if ((InventoryType)itemInfo.InvType == InventoryType.LSL) 1346 else if ((InventoryType)itemInfo.InvType == InventoryType.LSL)
1349 remoteClient.SendAgentAlertMessage("Script saved", false); 1347 remoteClient.SendAgentAlertMessage("Script saved", false);
1350 else 1348 else
1351 remoteClient.SendAgentAlertMessage("Item saved", false); 1349 remoteClient.SendAgentAlertMessage("Item saved", false);
1350 }
1352 1351
1352 // Check if we're allowed to mess with permissions
1353 if (!Permissions.IsGod(remoteClient.AgentId)) // Not a god
1354 {
1355 if (remoteClient.AgentId != part.OwnerID) // Not owner
1356 {
1357 // Friends and group members can't change any perms
1358 itemInfo.BasePermissions = currentItem.BasePermissions;
1359 itemInfo.EveryonePermissions = currentItem.EveryonePermissions;
1360 itemInfo.GroupPermissions = currentItem.GroupPermissions;
1361 itemInfo.NextPermissions = currentItem.NextPermissions;
1362 itemInfo.CurrentPermissions = currentItem.CurrentPermissions;
1363 }
1364 else
1365 {
1366 // Owner can't change base, and can change other
1367 // only up to base
1368 // Base ALWAYS has move
1369 currentItem.BasePermissions |= (uint)PermissionMask.Move;
1370 itemInfo.BasePermissions = currentItem.BasePermissions;
1371 itemInfo.EveryonePermissions &= currentItem.BasePermissions;
1372 itemInfo.GroupPermissions &= currentItem.BasePermissions;
1373 itemInfo.CurrentPermissions &= currentItem.BasePermissions;
1374 itemInfo.NextPermissions &= currentItem.BasePermissions;
1375 // Next ALWAYS has move
1376 itemInfo.NextPermissions |= (uint)PermissionMask.Move;
1377 }
1378
1379 }
1380 if (part.Inventory.UpdateInventoryItem(itemInfo))
1381 {
1353 part.GetProperties(remoteClient); 1382 part.GetProperties(remoteClient);
1354 } 1383 }
1355 } 1384 }
generated by cgit v1.1 at 2024-07-07 22:33:35 +0000