Make private services forbid llHTTPRequest() calls by rejecting those that have the X-SecondLife-Shard header.

If you need to enable this, set AllowHttpRequestIn = true in [Network] for all private services or individual [*Service] sections.
author: Justin Clark-Casey (justincc) 2015-03-04 17:51:11 +0000
committer: Justin Clark-Casey (justincc) 2015-03-04 18:27:51 +0000
commit: 3255335c42ff348465d235a3ccf9558d0d6d414b (patch)
tree: 5537a8bb51ef79f1b42a0a29e167da939630f434 /bin/Robust.ini.example
parent: Add outbound URL filter to llHttpRequest() and osSetDynamicTextureURL*() scri... (diff)
download: opensim-SC_OLD-3255335c42ff348465d235a3ccf9558d0d6d414b.zip
opensim-SC_OLD-3255335c42ff348465d235a3ccf9558d0d6d414b.tar.gz
opensim-SC_OLD-3255335c42ff348465d235a3ccf9558d0d6d414b.tar.bz2
opensim-SC_OLD-3255335c42ff348465d235a3ccf9558d0d6d414b.tar.xz
1 files changed, 7 insertions, 0 deletions
diff --git a/bin/Robust.ini.example b/bin/Robust.ini.example
index a0b8f50..48deeae 100644
--- a/bin/Robust.ini.example
+++ b/bin/Robust.ini.example
@@ -129,6 +129,13 @@
    ;; This is useful in cases where you want to protect most of the services,
    ;; but unprotect individual services. Username and Password can also be
    ;; overriden if you want to use different credentials for the different services.
+    
+    ;; By default, scripts are not allowed to call private services via llHttpRequest()
+    ;; Such calls are detected by the X-SecondLife-Shared HTTP header
+    ;; If you allow such calls you must be sure that they are restricted to very trusted scripters
+    ;; (remember scripts can also be in visiting avatar attachments).
+    ;; This can be overriden in individual private service sections if necessary
+    AllowllHTTPRequestIn = false
    ; * The following are for the remote console
    ; * They have no effect for the local or basic console types
author	Justin Clark-Casey (justincc)	2015-03-04 17:51:11 +0000
committer	Justin Clark-Casey (justincc)	2015-03-04 18:27:51 +0000
commit	3255335c42ff348465d235a3ccf9558d0d6d414b (patch)
tree	5537a8bb51ef79f1b42a0a29e167da939630f434 /bin/Robust.ini.example
parent	Add outbound URL filter to llHttpRequest() and osSetDynamicTextureURL*() scri... (diff)
download	opensim-SC_OLD-3255335c42ff348465d235a3ccf9558d0d6d414b.zip opensim-SC_OLD-3255335c42ff348465d235a3ccf9558d0d6d414b.tar.gz opensim-SC_OLD-3255335c42ff348465d235a3ccf9558d0d6d414b.tar.bz2 opensim-SC_OLD-3255335c42ff348465d235a3ccf9558d0d6d414b.tar.xz

diff --git a/bin/Robust.ini.example b/bin/Robust.ini.example index a0b8f50..48deeae 100644 --- a/bin/Robust.ini.example +++ b/bin/Robust.ini.example
@@ -129,6 +129,13 @@
129	;; This is useful in cases where you want to protect most of the services,	129	;; This is useful in cases where you want to protect most of the services,
130	;; but unprotect individual services. Username and Password can also be	130	;; but unprotect individual services. Username and Password can also be
131	;; overriden if you want to use different credentials for the different services.	131	;; overriden if you want to use different credentials for the different services.
		132
		133	;; By default, scripts are not allowed to call private services via llHttpRequest()
		134	;; Such calls are detected by the X-SecondLife-Shared HTTP header
		135	;; If you allow such calls you must be sure that they are restricted to very trusted scripters
		136	;; (remember scripts can also be in visiting avatar attachments).
		137	;; This can be overriden in individual private service sections if necessary
		138	AllowllHTTPRequestIn = false
132		139
133	; * The following are for the remote console	140	; * The following are for the remote console
134	; * They have no effect for the local or basic console types	141	; * They have no effect for the local or basic console types