diff options
author | Melanie | 2010-10-09 01:02:57 +0200 |
---|---|---|
committer | Melanie | 2010-10-09 01:02:57 +0200 |
commit | ff49a21eca5b084bf0df71f69bce98db0b2f0094 (patch) | |
tree | f32375693e6922753b773f1161b26156207a30bb /OpenSim/Region/Framework/Scenes | |
parent | Make SendKillObject send multiple localIDs in one packet. This avoids the (diff) | |
download | opensim-SC_OLD-ff49a21eca5b084bf0df71f69bce98db0b2f0094.zip opensim-SC_OLD-ff49a21eca5b084bf0df71f69bce98db0b2f0094.tar.gz opensim-SC_OLD-ff49a21eca5b084bf0df71f69bce98db0b2f0094.tar.bz2 opensim-SC_OLD-ff49a21eca5b084bf0df71f69bce98db0b2f0094.tar.xz |
Fix a security relevant issue with take / take copy
Diffstat (limited to 'OpenSim/Region/Framework/Scenes')
-rw-r--r-- | OpenSim/Region/Framework/Scenes/Scene.Inventory.cs | 110 |
1 files changed, 62 insertions, 48 deletions
diff --git a/OpenSim/Region/Framework/Scenes/Scene.Inventory.cs b/OpenSim/Region/Framework/Scenes/Scene.Inventory.cs index 6d7f984..9b5459d 100644 --- a/OpenSim/Region/Framework/Scenes/Scene.Inventory.cs +++ b/OpenSim/Region/Framework/Scenes/Scene.Inventory.cs | |||
@@ -1695,6 +1695,7 @@ namespace OpenSim.Region.Framework.Scenes | |||
1695 | // build a list of eligible objects | 1695 | // build a list of eligible objects |
1696 | List<uint> deleteIDs = new List<uint>(); | 1696 | List<uint> deleteIDs = new List<uint>(); |
1697 | List<SceneObjectGroup> deleteGroups = new List<SceneObjectGroup>(); | 1697 | List<SceneObjectGroup> deleteGroups = new List<SceneObjectGroup>(); |
1698 | List<SceneObjectGroup> takeGroups = new List<SceneObjectGroup>(); | ||
1698 | 1699 | ||
1699 | // Start with true for both, then remove the flags if objects | 1700 | // Start with true for both, then remove the flags if objects |
1700 | // that we can't derez are part of the selection | 1701 | // that we can't derez are part of the selection |
@@ -1727,9 +1728,6 @@ namespace OpenSim.Region.Framework.Scenes | |||
1727 | 1728 | ||
1728 | SceneObjectGroup grp = part.ParentGroup; | 1729 | SceneObjectGroup grp = part.ParentGroup; |
1729 | 1730 | ||
1730 | deleteGroups.Add(grp); | ||
1731 | deleteIDs.Add(grp.LocalId); | ||
1732 | |||
1733 | if (remoteClient == null) | 1731 | if (remoteClient == null) |
1734 | { | 1732 | { |
1735 | // Autoreturn has a null client. Nothing else does. So | 1733 | // Autoreturn has a null client. Nothing else does. So |
@@ -1756,73 +1754,89 @@ namespace OpenSim.Region.Framework.Scenes | |||
1756 | if (!Permissions.CanDeleteObject(grp.UUID, remoteClient.AgentId)) | 1754 | if (!Permissions.CanDeleteObject(grp.UUID, remoteClient.AgentId)) |
1757 | permissionToDelete = false; | 1755 | permissionToDelete = false; |
1758 | } | 1756 | } |
1759 | } | ||
1760 | 1757 | ||
1761 | // Handle god perms | 1758 | // Handle god perms |
1762 | if ((remoteClient != null) && Permissions.IsGod(remoteClient.AgentId)) | 1759 | if ((remoteClient != null) && Permissions.IsGod(remoteClient.AgentId)) |
1763 | { | 1760 | { |
1764 | permissionToTake = true; | 1761 | permissionToTake = true; |
1765 | permissionToTakeCopy = true; | 1762 | permissionToTakeCopy = true; |
1766 | permissionToDelete = true; | 1763 | permissionToDelete = true; |
1767 | } | 1764 | } |
1768 | 1765 | ||
1769 | // If we're re-saving, we don't even want to delete | 1766 | // If we're re-saving, we don't even want to delete |
1770 | if (action == DeRezAction.SaveToExistingUserInventoryItem) | 1767 | if (action == DeRezAction.SaveToExistingUserInventoryItem) |
1771 | permissionToDelete = false; | 1768 | permissionToDelete = false; |
1772 | 1769 | ||
1773 | // if we want to take a copy, we also don't want to delete | 1770 | // if we want to take a copy, we also don't want to delete |
1774 | // Note: after this point, the permissionToTakeCopy flag | 1771 | // Note: after this point, the permissionToTakeCopy flag |
1775 | // becomes irrelevant. It already includes the permissionToTake | 1772 | // becomes irrelevant. It already includes the permissionToTake |
1776 | // permission and after excluding no copy items here, we can | 1773 | // permission and after excluding no copy items here, we can |
1777 | // just use that. | 1774 | // just use that. |
1778 | if (action == DeRezAction.TakeCopy) | 1775 | if (action == DeRezAction.TakeCopy) |
1779 | { | 1776 | { |
1780 | // If we don't have permission, stop right here | 1777 | // If we don't have permission, stop right here |
1781 | if (!permissionToTakeCopy) | 1778 | if (!permissionToTakeCopy) |
1782 | return; | 1779 | return; |
1783 | 1780 | ||
1784 | permissionToTake = true; | 1781 | permissionToTake = true; |
1785 | // Don't delete | 1782 | // Don't delete |
1786 | permissionToDelete = false; | 1783 | permissionToDelete = false; |
1787 | } | 1784 | } |
1788 | 1785 | ||
1789 | if (action == DeRezAction.Return) | 1786 | if (action == DeRezAction.Return) |
1790 | { | ||
1791 | if (remoteClient != null) | ||
1792 | { | 1787 | { |
1793 | if (Permissions.CanReturnObjects( | 1788 | if (remoteClient != null) |
1794 | null, | 1789 | { |
1795 | remoteClient.AgentId, | 1790 | if (Permissions.CanReturnObjects( |
1796 | deleteGroups)) | 1791 | null, |
1792 | remoteClient.AgentId, | ||
1793 | deleteGroups)) | ||
1794 | { | ||
1795 | permissionToTake = true; | ||
1796 | permissionToDelete = true; | ||
1797 | |||
1798 | AddReturn(grp.OwnerID, grp.Name, grp.AbsolutePosition, "parcel owner return"); | ||
1799 | } | ||
1800 | } | ||
1801 | else // Auto return passes through here with null agent | ||
1797 | { | 1802 | { |
1798 | permissionToTake = true; | 1803 | permissionToTake = true; |
1799 | permissionToDelete = true; | 1804 | permissionToDelete = true; |
1805 | } | ||
1800 | 1806 | ||
1801 | foreach (SceneObjectGroup g in deleteGroups) | 1807 | if (permissionToTake && (!permissionToDelete)) |
1802 | { | 1808 | takeGroups.Add(grp); |
1803 | AddReturn(g.OwnerID, g.Name, g.AbsolutePosition, "parcel owner return"); | 1809 | |
1804 | } | 1810 | if (permissionToDelete) |
1811 | { | ||
1812 | if (permissionToTake) | ||
1813 | deleteGroups.Add(grp); | ||
1814 | deleteIDs.Add(grp.LocalId); | ||
1805 | } | 1815 | } |
1806 | } | 1816 | } |
1807 | else // Auto return passes through here with null agent | ||
1808 | { | ||
1809 | permissionToTake = true; | ||
1810 | permissionToDelete = true; | ||
1811 | } | ||
1812 | } | 1817 | } |
1813 | 1818 | ||
1814 | SendKillObject(deleteIDs); | 1819 | SendKillObject(deleteIDs); |
1815 | 1820 | ||
1816 | if (permissionToTake) | 1821 | if (deleteGroups.Count > 0) |
1817 | { | 1822 | { |
1823 | foreach (SceneObjectGroup g in deleteGroups) | ||
1824 | deleteIDs.Remove(g.LocalId); | ||
1825 | |||
1818 | m_asyncSceneObjectDeleter.DeleteToInventory( | 1826 | m_asyncSceneObjectDeleter.DeleteToInventory( |
1819 | action, destinationID, deleteGroups, remoteClient, | 1827 | action, destinationID, deleteGroups, remoteClient, |
1820 | permissionToDelete); | 1828 | true); |
1829 | } | ||
1830 | if (takeGroups.Count > 0) | ||
1831 | { | ||
1832 | m_asyncSceneObjectDeleter.DeleteToInventory( | ||
1833 | action, destinationID, takeGroups, remoteClient, | ||
1834 | false); | ||
1821 | } | 1835 | } |
1822 | else if (permissionToDelete) | 1836 | if (deleteIDs.Count > 0) |
1823 | { | 1837 | { |
1824 | foreach (SceneObjectGroup g in deleteGroups) | 1838 | foreach (SceneObjectGroup g in deleteGroups) |
1825 | DeleteSceneObject(g, false); | 1839 | DeleteSceneObject(g, true); |
1826 | } | 1840 | } |
1827 | } | 1841 | } |
1828 | 1842 | ||