aboutsummaryrefslogtreecommitdiffstatshomepage
diff options
context:
space:
mode:
-rw-r--r--OpenSim/Framework/Servers/HttpServer/BaseStreamHandler.cs15
-rw-r--r--OpenSim/Framework/ServiceAuth/BasicHttpAuthentication.cs25
-rw-r--r--OpenSim/Framework/ServiceAuth/CompoundAuthentication.cs71
-rw-r--r--OpenSim/Framework/ServiceAuth/DisallowLlHttpRequest.cs57
-rw-r--r--OpenSim/Framework/ServiceAuth/IServiceAuth.cs3
-rw-r--r--OpenSim/Framework/ServiceAuth/ServiceAuth.cs18
-rw-r--r--bin/Robust.HG.ini.example7
-rw-r--r--bin/Robust.ini.example7
8 files changed, 184 insertions, 19 deletions
diff --git a/OpenSim/Framework/Servers/HttpServer/BaseStreamHandler.cs b/OpenSim/Framework/Servers/HttpServer/BaseStreamHandler.cs
index f160734..41aa19b 100644
--- a/OpenSim/Framework/Servers/HttpServer/BaseStreamHandler.cs
+++ b/OpenSim/Framework/Servers/HttpServer/BaseStreamHandler.cs
@@ -56,12 +56,17 @@ namespace OpenSim.Framework.Servers.HttpServer
56 string path, Stream request, IOSHttpRequest httpRequest, IOSHttpResponse httpResponse) 56 string path, Stream request, IOSHttpRequest httpRequest, IOSHttpResponse httpResponse)
57 { 57 {
58 RequestsReceived++; 58 RequestsReceived++;
59 if (m_Auth != null && !m_Auth.Authenticate(httpRequest.Headers, httpResponse.AddHeader)) 59
60 if (m_Auth != null)
60 { 61 {
61 62 HttpStatusCode statusCode;
62 httpResponse.StatusCode = (int)HttpStatusCode.Unauthorized; 63
63 httpResponse.ContentType = "text/plain"; 64 if (!m_Auth.Authenticate(httpRequest.Headers, httpResponse.AddHeader, out statusCode))
64 return new byte[0]; 65 {
66 httpResponse.StatusCode = (int)statusCode;
67 httpResponse.ContentType = "text/plain";
68 return new byte[0];
69 }
65 } 70 }
66 71
67 byte[] result = ProcessRequest(path, request, httpRequest, httpResponse); 72 byte[] result = ProcessRequest(path, request, httpRequest, httpResponse);
diff --git a/OpenSim/Framework/ServiceAuth/BasicHttpAuthentication.cs b/OpenSim/Framework/ServiceAuth/BasicHttpAuthentication.cs
index b3d64e1..3c13bbf 100644
--- a/OpenSim/Framework/ServiceAuth/BasicHttpAuthentication.cs
+++ b/OpenSim/Framework/ServiceAuth/BasicHttpAuthentication.cs
@@ -28,6 +28,7 @@
28using System; 28using System;
29using System.Collections.Generic; 29using System.Collections.Generic;
30using System.Collections.Specialized; 30using System.Collections.Specialized;
31using System.Net;
31using System.Reflection; 32using System.Reflection;
32 33
33using Nini.Config; 34using Nini.Config;
@@ -82,24 +83,28 @@ namespace OpenSim.Framework.ServiceAuth
82 return false; 83 return false;
83 } 84 }
84 85
85 public bool Authenticate(NameValueCollection requestHeaders, AddHeaderDelegate d) 86 public bool Authenticate(NameValueCollection requestHeaders, AddHeaderDelegate d, out HttpStatusCode statusCode)
86 { 87 {
87 //m_log.DebugFormat("[HTTP BASIC AUTH]: Authenticate in {0}", remove_me); 88// m_log.DebugFormat("[HTTP BASIC AUTH]: Authenticate in {0}", "BasicHttpAuthentication");
88 if (requestHeaders != null) 89
90 string value = requestHeaders.Get("Authorization");
91 if (value != null)
89 { 92 {
90 string value = requestHeaders.Get("Authorization"); 93 value = value.Trim();
91 if (value != null) 94 if (value.StartsWith("Basic "))
92 { 95 {
93 value = value.Trim(); 96 value = value.Replace("Basic ", string.Empty);
94 if (value.StartsWith("Basic ")) 97 if (Authenticate(value))
95 { 98 {
96 value = value.Replace("Basic ", string.Empty); 99 statusCode = HttpStatusCode.OK;
97 if (Authenticate(value)) 100 return true;
98 return true;
99 } 101 }
100 } 102 }
101 } 103 }
104
102 d("WWW-Authenticate", "Basic realm = \"Asset Server\""); 105 d("WWW-Authenticate", "Basic realm = \"Asset Server\"");
106
107 statusCode = HttpStatusCode.Unauthorized;
103 return false; 108 return false;
104 } 109 }
105 } 110 }
diff --git a/OpenSim/Framework/ServiceAuth/CompoundAuthentication.cs b/OpenSim/Framework/ServiceAuth/CompoundAuthentication.cs
new file mode 100644
index 0000000..8c88d1c
--- /dev/null
+++ b/OpenSim/Framework/ServiceAuth/CompoundAuthentication.cs
@@ -0,0 +1,71 @@
1/*
2 * Copyright (c) Contributors, http://opensimulator.org/
3 * See CONTRIBUTORS.TXT for a full list of copyright holders.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions are met:
7 * * Redistributions of source code must retain the above copyright
8 * notice, this list of conditions and the following disclaimer.
9 * * Redistributions in binary form must reproduce the above copyright
10 * notice, this list of conditions and the following disclaimer in the
11 * documentation and/or other materials provided with the distribution.
12 * * Neither the name of the OpenSimulator Project nor the
13 * names of its contributors may be used to endorse or promote products
14 * derived from this software without specific prior written permission.
15 *
16 * THIS SOFTWARE IS PROVIDED BY THE DEVELOPERS ``AS IS'' AND ANY
17 * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
18 * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
19 * DISCLAIMED. IN NO EVENT SHALL THE CONTRIBUTORS BE LIABLE FOR ANY
20 * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
21 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
22 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
23 * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
24 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
25 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
26 */
27
28using System;
29using System.Collections.Generic;
30using System.Collections.Specialized;
31using System.Linq;
32using System.Net;
33
34namespace OpenSim.Framework.ServiceAuth
35{
36 public class CompoundAuthentication : IServiceAuth
37 {
38 private List<IServiceAuth> m_authentications = new List<IServiceAuth>();
39
40 public int Count { get { return m_authentications.Count; } }
41
42 public void AddAuthenticator(IServiceAuth auth)
43 {
44 m_authentications.Add(auth);
45 }
46
47 public void RemoveAuthenticator(IServiceAuth auth)
48 {
49 m_authentications.Remove(auth);
50 }
51
52 public void AddAuthorization(NameValueCollection headers) {}
53
54 public bool Authenticate(string data)
55 {
56 return m_authentications.TrueForAll(a => a.Authenticate(data));
57 }
58
59 public bool Authenticate(NameValueCollection requestHeaders, AddHeaderDelegate d, out HttpStatusCode statusCode)
60 {
61 foreach (IServiceAuth auth in m_authentications)
62 {
63 if (!auth.Authenticate(requestHeaders, d, out statusCode))
64 return false;
65 }
66
67 statusCode = HttpStatusCode.OK;
68 return true;
69 }
70 }
71} \ No newline at end of file
diff --git a/OpenSim/Framework/ServiceAuth/DisallowLlHttpRequest.cs b/OpenSim/Framework/ServiceAuth/DisallowLlHttpRequest.cs
new file mode 100644
index 0000000..1e1ee56
--- /dev/null
+++ b/OpenSim/Framework/ServiceAuth/DisallowLlHttpRequest.cs
@@ -0,0 +1,57 @@
1/*
2 * Copyright (c) Contributors, http://opensimulator.org/
3 * See CONTRIBUTORS.TXT for a full list of copyright holders.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions are met:
7 * * Redistributions of source code must retain the above copyright
8 * notice, this list of conditions and the following disclaimer.
9 * * Redistributions in binary form must reproduce the above copyright
10 * notice, this list of conditions and the following disclaimer in the
11 * documentation and/or other materials provided with the distribution.
12 * * Neither the name of the OpenSimulator Project nor the
13 * names of its contributors may be used to endorse or promote products
14 * derived from this software without specific prior written permission.
15 *
16 * THIS SOFTWARE IS PROVIDED BY THE DEVELOPERS ``AS IS'' AND ANY
17 * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
18 * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
19 * DISCLAIMED. IN NO EVENT SHALL THE CONTRIBUTORS BE LIABLE FOR ANY
20 * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
21 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
22 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
23 * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
24 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
25 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
26 */
27
28using System;
29using System.Collections.Specialized;
30using System.Net;
31
32namespace OpenSim.Framework.ServiceAuth
33{
34 public class DisallowLlHttpRequest : IServiceAuth
35 {
36 public void AddAuthorization(NameValueCollection headers) {}
37
38 public bool Authenticate(string data)
39 {
40 return false;
41 }
42
43 public bool Authenticate(NameValueCollection requestHeaders, AddHeaderDelegate d, out HttpStatusCode statusCode)
44 {
45// Console.WriteLine("DisallowLlHttpRequest");
46
47 if (requestHeaders["X-SecondLife-Shard"] != null)
48 {
49 statusCode = HttpStatusCode.Forbidden;
50 return false;
51 }
52
53 statusCode = HttpStatusCode.OK;
54 return true;
55 }
56 }
57} \ No newline at end of file
diff --git a/OpenSim/Framework/ServiceAuth/IServiceAuth.cs b/OpenSim/Framework/ServiceAuth/IServiceAuth.cs
index fdd97b2..adde62f 100644
--- a/OpenSim/Framework/ServiceAuth/IServiceAuth.cs
+++ b/OpenSim/Framework/ServiceAuth/IServiceAuth.cs
@@ -26,6 +26,7 @@
26 */ 26 */
27 27
28using System; 28using System;
29using System.Net;
29using System.Collections.Generic; 30using System.Collections.Generic;
30using System.Collections.Specialized; 31using System.Collections.Specialized;
31 32
@@ -36,7 +37,7 @@ namespace OpenSim.Framework.ServiceAuth
36 public interface IServiceAuth 37 public interface IServiceAuth
37 { 38 {
38 bool Authenticate(string data); 39 bool Authenticate(string data);
39 bool Authenticate(NameValueCollection headers, AddHeaderDelegate d); 40 bool Authenticate(NameValueCollection headers, AddHeaderDelegate d, out HttpStatusCode statusCode);
40 void AddAuthorization(NameValueCollection headers); 41 void AddAuthorization(NameValueCollection headers);
41 } 42 }
42} 43}
diff --git a/OpenSim/Framework/ServiceAuth/ServiceAuth.cs b/OpenSim/Framework/ServiceAuth/ServiceAuth.cs
index 5ab613b..30f5bd6 100644
--- a/OpenSim/Framework/ServiceAuth/ServiceAuth.cs
+++ b/OpenSim/Framework/ServiceAuth/ServiceAuth.cs
@@ -36,15 +36,27 @@ namespace OpenSim.Framework.ServiceAuth
36 { 36 {
37 public static IServiceAuth Create(IConfigSource config, string section) 37 public static IServiceAuth Create(IConfigSource config, string section)
38 { 38 {
39 CompoundAuthentication compoundAuth = new CompoundAuthentication();
40
41 bool allowLlHttpRequestIn
42 = Util.GetConfigVarFromSections<bool>(config, "AllowllHTTPRequestIn", new string[] { "Network", section }, false);
43
44 if (!allowLlHttpRequestIn)
45 compoundAuth.AddAuthenticator(new DisallowLlHttpRequest());
46
39 string authType = Util.GetConfigVarFromSections<string>(config, "AuthType", new string[] { "Network", section }, "None"); 47 string authType = Util.GetConfigVarFromSections<string>(config, "AuthType", new string[] { "Network", section }, "None");
40 48
41 switch (authType) 49 switch (authType)
42 { 50 {
43 case "BasicHttpAuthentication": 51 case "BasicHttpAuthentication":
44 return new BasicHttpAuthentication(config, section); 52 compoundAuth.AddAuthenticator(new BasicHttpAuthentication(config, section));
53 break;
45 } 54 }
46 55
47 return null; 56 if (compoundAuth.Count > 0)
57 return compoundAuth;
58 else
59 return null;
48 } 60 }
49 } 61 }
50} 62} \ No newline at end of file
diff --git a/bin/Robust.HG.ini.example b/bin/Robust.HG.ini.example
index 5fa4026..872a7f8 100644
--- a/bin/Robust.HG.ini.example
+++ b/bin/Robust.HG.ini.example
@@ -153,6 +153,13 @@
153 ;; Hypergrid services are not affected by this; they are publicly available 153 ;; Hypergrid services are not affected by this; they are publicly available
154 ;; by design. 154 ;; by design.
155 155
156 ;; By default, scripts are not allowed to call private services via llHttpRequest()
157 ;; Such calls are detected by the X-SecondLife-Shared HTTP header
158 ;; If you allow such calls you must be sure that they are restricted to very trusted scripters
159 ;; (remember scripts can also be in visiting avatar attachments).
160 ;; This can be overriden in individual private service sections if necessary
161 AllowllHTTPRequestIn = false
162
156 ; * The following are for the remote console 163 ; * The following are for the remote console
157 ; * They have no effect for the local or basic console types 164 ; * They have no effect for the local or basic console types
158 ; * Leave commented to diable logins to the console 165 ; * Leave commented to diable logins to the console
diff --git a/bin/Robust.ini.example b/bin/Robust.ini.example
index a0b8f50..48deeae 100644
--- a/bin/Robust.ini.example
+++ b/bin/Robust.ini.example
@@ -129,6 +129,13 @@
129 ;; This is useful in cases where you want to protect most of the services, 129 ;; This is useful in cases where you want to protect most of the services,
130 ;; but unprotect individual services. Username and Password can also be 130 ;; but unprotect individual services. Username and Password can also be
131 ;; overriden if you want to use different credentials for the different services. 131 ;; overriden if you want to use different credentials for the different services.
132
133 ;; By default, scripts are not allowed to call private services via llHttpRequest()
134 ;; Such calls are detected by the X-SecondLife-Shared HTTP header
135 ;; If you allow such calls you must be sure that they are restricted to very trusted scripters
136 ;; (remember scripts can also be in visiting avatar attachments).
137 ;; This can be overriden in individual private service sections if necessary
138 AllowllHTTPRequestIn = false
132 139
133 ; * The following are for the remote console 140 ; * The following are for the remote console
134 ; * They have no effect for the local or basic console types 141 ; * They have no effect for the local or basic console types