1 files changed, 203 insertions, 0 deletions
diff --git a/OpenSim/Framework/UntrustedWebRequest.cs b/OpenSim/Framework/UntrustedWebRequest.cs
new file mode 100644
index 0000000..1af7c41
--- /dev/null
+++ b/OpenSim/Framework/UntrustedWebRequest.cs
@@ -0,0 +1,203 @@
+using System;
+using System.Collections.Generic;
+using System.IO;
+using System.Net;
+using System.Net.Security;
+using System.Text;
+using log4net;
+namespace OpenSim.Framework
+{
+    /// <summary>
+    /// Used for requests to untrusted endpoints that may potentially be
+    /// malicious
+    /// </summary>
+    public static class UntrustedHttpWebRequest
+    {
+        /// <summary>Setting this to true will allow HTTP connections to localhost</summary>
+        private const bool DEBUG = true;
+        private static readonly ILog m_log =
+                LogManager.GetLogger(
+                System.Reflection.MethodBase.GetCurrentMethod().DeclaringType);
+        private static readonly ICollection<string> allowableSchemes = new List<string> { "http", "https" };
+        /// <summary>
+        /// Creates an HttpWebRequest that is hardened against malicious
+        /// endpoints after ensuring the given Uri is safe to retrieve
+        /// </summary>
+        /// <param name="uri">Web location to request</param>
+        /// <returns>A hardened HttpWebRequest if the uri was determined to be safe</returns>
+        /// <exception cref="ArgumentNullException">If uri is null</exception>
+        /// <exception cref="ArgumentException">If uri is unsafe</exception>
+        public static HttpWebRequest Create(Uri uri)
+        {
+            return Create(uri, DEBUG, 1000 * 5, 1000 * 20, 10);
+        }
+        /// <summary>
+        /// Creates an HttpWebRequest that is hardened against malicious
+        /// endpoints after ensuring the given Uri is safe to retrieve
+        /// </summary>
+        /// <param name="uri">Web location to request</param>
+        /// <param name="allowLoopback">True to allow connections to localhost, otherwise false</param>
+        /// <param name="readWriteTimeoutMS">Read write timeout, in milliseconds</param>
+        /// <param name="timeoutMS">Connection timeout, in milliseconds</param>
+        /// <param name="maximumRedirects">Maximum number of allowed redirects</param>
+        /// <returns>A hardened HttpWebRequest if the uri was determined to be safe</returns>
+        /// <exception cref="ArgumentNullException">If uri is null</exception>
+        /// <exception cref="ArgumentException">If uri is unsafe</exception>
+        public static HttpWebRequest Create(Uri uri, bool allowLoopback, int readWriteTimeoutMS, int timeoutMS, int maximumRedirects)
+        {
+            if (uri == null)
+                throw new ArgumentNullException("uri");
+            if (!IsUriAllowable(uri, allowLoopback))
+                throw new ArgumentException("Uri " + uri + " was rejected");
+            HttpWebRequest httpWebRequest = (HttpWebRequest)HttpWebRequest.Create(uri);
+            httpWebRequest.MaximumAutomaticRedirections = maximumRedirects;
+            httpWebRequest.ReadWriteTimeout = readWriteTimeoutMS;
+            httpWebRequest.Timeout = timeoutMS;
+            httpWebRequest.KeepAlive = false;
+            return httpWebRequest;
+        }
+        public static string PostToUntrustedUrl(Uri url, string data)
+        {
+            try
+            {
+                byte[] requestData = System.Text.Encoding.UTF8.GetBytes(data);
+                HttpWebRequest request = Create(url);
+                request.Method = "POST";
+                request.ContentLength = requestData.Length;
+                request.ContentType = "application/x-www-form-urlencoded";
+                using (Stream requestStream = request.GetRequestStream())
+                    requestStream.Write(requestData, 0, requestData.Length);
+                using (WebResponse response = request.GetResponse())
+                {
+                    using (Stream responseStream = response.GetResponseStream())
+                        return responseStream.GetStreamString();
+                }
+            }
+            catch (Exception ex)
+            {
+                m_log.Warn("POST to untrusted URL " + url + " failed: " + ex.Message);
+                return null;
+            }
+        }
+        public static string GetUntrustedUrl(Uri url)
+        {
+            try
+            {
+                HttpWebRequest request = Create(url);
+                using (WebResponse response = request.GetResponse())
+                {
+                    using (Stream responseStream = response.GetResponseStream())
+                        return responseStream.GetStreamString();
+                }
+            }
+            catch (Exception ex)
+            {
+                m_log.Warn("GET from untrusted URL " + url + " failed: " + ex.Message);
+                return null;
+            }
+        }
+        /// <summary>
+        /// Determines whether a URI is allowed based on scheme and host name.
+        /// No requireSSL check is done here
+        /// </summary>
+        /// <param name="allowLoopback">True to allow loopback addresses to be used</param>
+        /// <param name="uri">The URI to test for whether it should be allowed.</param>
+        /// <returns>
+        ///     <c>true</c> if [is URI allowable] [the specified URI]; otherwise, <c>false</c>.
+        /// </returns>
+        private static bool IsUriAllowable(Uri uri, bool allowLoopback)
+        {
+            if (!allowableSchemes.Contains(uri.Scheme))
+            {
+                m_log.WarnFormat("Rejecting URL {0} because it uses a disallowed scheme.", uri);
+                return false;
+            }
+            // Try to interpret the hostname as an IP address so we can test for internal
+            // IP address ranges.  Note that IP addresses can appear in many forms 
+            // (e.g. http://127.0.0.1, http://2130706433, http://0x0100007f, http://::1
+            // So we convert them to a canonical IPAddress instance, and test for all
+            // non-routable IP ranges: 10.*.*.*, 127.*.*.*, ::1
+            // Note that Uri.IsLoopback is very unreliable, not catching many of these variants.
+            IPAddress hostIPAddress;
+            if (IPAddress.TryParse(uri.DnsSafeHost, out hostIPAddress))
+            {
+                byte[] addressBytes = hostIPAddress.GetAddressBytes();
+                // The host is actually an IP address.
+                switch (hostIPAddress.AddressFamily)
+                {
+                    case System.Net.Sockets.AddressFamily.InterNetwork:
+                        if (!allowLoopback && (addressBytes[0] == 127 || addressBytes[0] == 10))
+                        {
+                            m_log.WarnFormat("Rejecting URL {0} because it is a loopback address.", uri);
+                            return false;
+                        }
+                        break;
+                    case System.Net.Sockets.AddressFamily.InterNetworkV6:
+                        if (!allowLoopback && IsIPv6Loopback(hostIPAddress))
+                        {
+                            m_log.WarnFormat("Rejecting URL {0} because it is a loopback address.", uri);
+                            return false;
+                        }
+                        break;
+                    default:
+                        m_log.WarnFormat("Rejecting URL {0} because it does not use an IPv4 or IPv6 address.", uri);
+                        return false;
+                }
+            }
+            else
+            {
+                // The host is given by name.  We require names to contain periods to
+                // help make sure it's not an internal address.
+                if (!allowLoopback && !uri.Host.Contains("."))
+                {
+                    m_log.WarnFormat("Rejecting URL {0} because it does not contain a period in the host name.", uri);
+                    return false;
+                }
+            }
+            return true;
+        }
+        /// <summary>
+        /// Determines whether an IP address is the IPv6 equivalent of "localhost/127.0.0.1".
+        /// </summary>
+        /// <param name="ip">The ip address to check.</param>
+        /// <returns>
+        ///     <c>true</c> if this is a loopback IP address; <c>false</c> otherwise.
+        /// </returns>
+        private static bool IsIPv6Loopback(IPAddress ip)
+        {
+            if (ip == null)
+                throw new ArgumentNullException("ip");
+            byte[] addressBytes = ip.GetAddressBytes();
+            for (int i = 0; i < addressBytes.Length - 1; i++)
+            {
+                if (addressBytes[i] != 0)
+                    return false;
+            }
+            if (addressBytes[addressBytes.Length - 1] != 1)
+                return false;
+            return true;
+        }
+    }
+}

diff --git a/OpenSim/Framework/UntrustedWebRequest.cs b/OpenSim/Framework/UntrustedWebRequest.cs new file mode 100644 index 0000000..1af7c41 --- /dev/null +++ b/OpenSim/Framework/UntrustedWebRequest.cs
@@ -0,0 +1,203 @@
	1	using System;
	2	using System.Collections.Generic;
	3	using System.IO;
	4	using System.Net;
	5	using System.Net.Security;
	6	using System.Text;
	7	using log4net;
	8
	9	namespace OpenSim.Framework
	10	{
	11	/// <summary>
	12	/// Used for requests to untrusted endpoints that may potentially be
	13	/// malicious
	14	/// </summary>
	15	public static class UntrustedHttpWebRequest
	16	{
	17	/// <summary>Setting this to true will allow HTTP connections to localhost</summary>
	18	private const bool DEBUG = true;
	19
	20	private static readonly ILog m_log =
	21	LogManager.GetLogger(
	22	System.Reflection.MethodBase.GetCurrentMethod().DeclaringType);
	23
	24	private static readonly ICollection<string> allowableSchemes = new List<string> { "http", "https" };
	25
	26	/// <summary>
	27	/// Creates an HttpWebRequest that is hardened against malicious
	28	/// endpoints after ensuring the given Uri is safe to retrieve
	29	/// </summary>
	30	/// <param name="uri">Web location to request</param>
	31	/// <returns>A hardened HttpWebRequest if the uri was determined to be safe</returns>
	32	/// <exception cref="ArgumentNullException">If uri is null</exception>
	33	/// <exception cref="ArgumentException">If uri is unsafe</exception>
	34	public static HttpWebRequest Create(Uri uri)
	35	{
	36	return Create(uri, DEBUG, 1000 * 5, 1000 * 20, 10);
	37	}
	38
	39	/// <summary>
	40	/// Creates an HttpWebRequest that is hardened against malicious
	41	/// endpoints after ensuring the given Uri is safe to retrieve
	42	/// </summary>
	43	/// <param name="uri">Web location to request</param>
	44	/// <param name="allowLoopback">True to allow connections to localhost, otherwise false</param>
	45	/// <param name="readWriteTimeoutMS">Read write timeout, in milliseconds</param>
	46	/// <param name="timeoutMS">Connection timeout, in milliseconds</param>
	47	/// <param name="maximumRedirects">Maximum number of allowed redirects</param>
	48	/// <returns>A hardened HttpWebRequest if the uri was determined to be safe</returns>
	49	/// <exception cref="ArgumentNullException">If uri is null</exception>
	50	/// <exception cref="ArgumentException">If uri is unsafe</exception>
	51	public static HttpWebRequest Create(Uri uri, bool allowLoopback, int readWriteTimeoutMS, int timeoutMS, int maximumRedirects)
	52	{
	53	if (uri == null)
	54	throw new ArgumentNullException("uri");
	55
	56	if (!IsUriAllowable(uri, allowLoopback))
	57	throw new ArgumentException("Uri " + uri + " was rejected");
	58
	59	HttpWebRequest httpWebRequest = (HttpWebRequest)HttpWebRequest.Create(uri);
	60	httpWebRequest.MaximumAutomaticRedirections = maximumRedirects;
	61	httpWebRequest.ReadWriteTimeout = readWriteTimeoutMS;
	62	httpWebRequest.Timeout = timeoutMS;
	63	httpWebRequest.KeepAlive = false;
	64
	65	return httpWebRequest;
	66	}
	67
	68	public static string PostToUntrustedUrl(Uri url, string data)
	69	{
	70	try
	71	{
	72	byte[] requestData = System.Text.Encoding.UTF8.GetBytes(data);
	73
	74	HttpWebRequest request = Create(url);
	75	request.Method = "POST";
	76	request.ContentLength = requestData.Length;
	77	request.ContentType = "application/x-www-form-urlencoded";
	78
	79	using (Stream requestStream = request.GetRequestStream())
	80	requestStream.Write(requestData, 0, requestData.Length);
	81
	82	using (WebResponse response = request.GetResponse())
	83	{
	84	using (Stream responseStream = response.GetResponseStream())
	85	return responseStream.GetStreamString();
	86	}
	87	}
	88	catch (Exception ex)
	89	{
	90	m_log.Warn("POST to untrusted URL " + url + " failed: " + ex.Message);
	91	return null;
	92	}
	93	}
	94
	95	public static string GetUntrustedUrl(Uri url)
	96	{
	97	try
	98	{
	99	HttpWebRequest request = Create(url);
	100
	101	using (WebResponse response = request.GetResponse())
	102	{
	103	using (Stream responseStream = response.GetResponseStream())
	104	return responseStream.GetStreamString();
	105	}
	106	}
	107	catch (Exception ex)
	108	{
	109	m_log.Warn("GET from untrusted URL " + url + " failed: " + ex.Message);
	110	return null;
	111	}
	112	}
	113
	114	/// <summary>
	115	/// Determines whether a URI is allowed based on scheme and host name.
	116	/// No requireSSL check is done here
	117	/// </summary>
	118	/// <param name="allowLoopback">True to allow loopback addresses to be used</param>
	119	/// <param name="uri">The URI to test for whether it should be allowed.</param>
	120	/// <returns>
	121	/// <c>true</c> if [is URI allowable] [the specified URI]; otherwise, <c>false</c>.
	122	/// </returns>
	123	private static bool IsUriAllowable(Uri uri, bool allowLoopback)
	124	{
	125	if (!allowableSchemes.Contains(uri.Scheme))
	126	{
	127	m_log.WarnFormat("Rejecting URL {0} because it uses a disallowed scheme.", uri);
	128	return false;
	129	}
	130
	131	// Try to interpret the hostname as an IP address so we can test for internal
	132	// IP address ranges. Note that IP addresses can appear in many forms
	133	// (e.g. http://127.0.0.1, http://2130706433, http://0x0100007f, http://::1
	134	// So we convert them to a canonical IPAddress instance, and test for all
	135	// non-routable IP ranges: 10..., 127..., ::1
	136	// Note that Uri.IsLoopback is very unreliable, not catching many of these variants.
	137	IPAddress hostIPAddress;
	138	if (IPAddress.TryParse(uri.DnsSafeHost, out hostIPAddress))
	139	{
	140	byte[] addressBytes = hostIPAddress.GetAddressBytes();
	141
	142	// The host is actually an IP address.
	143	switch (hostIPAddress.AddressFamily)
	144	{
	145	case System.Net.Sockets.AddressFamily.InterNetwork:
	146	if (!allowLoopback && (addressBytes[0] == 127 \|\| addressBytes[0] == 10))
	147	{
	148	m_log.WarnFormat("Rejecting URL {0} because it is a loopback address.", uri);
	149	return false;
	150	}
	151	break;
	152	case System.Net.Sockets.AddressFamily.InterNetworkV6:
	153	if (!allowLoopback && IsIPv6Loopback(hostIPAddress))
	154	{
	155	m_log.WarnFormat("Rejecting URL {0} because it is a loopback address.", uri);
	156	return false;
	157	}
	158	break;
	159	default:
	160	m_log.WarnFormat("Rejecting URL {0} because it does not use an IPv4 or IPv6 address.", uri);
	161	return false;
	162	}
	163	}
	164	else
	165	{
	166	// The host is given by name. We require names to contain periods to
	167	// help make sure it's not an internal address.
	168	if (!allowLoopback && !uri.Host.Contains("."))
	169	{
	170	m_log.WarnFormat("Rejecting URL {0} because it does not contain a period in the host name.", uri);
	171	return false;
	172	}
	173	}
	174
	175	return true;
	176	}
	177
	178	/// <summary>
	179	/// Determines whether an IP address is the IPv6 equivalent of "localhost/127.0.0.1".
	180	/// </summary>
	181	/// <param name="ip">The ip address to check.</param>
	182	/// <returns>
	183	/// <c>true</c> if this is a loopback IP address; <c>false</c> otherwise.
	184	/// </returns>
	185	private static bool IsIPv6Loopback(IPAddress ip)
	186	{
	187	if (ip == null)
	188	throw new ArgumentNullException("ip");
	189
	190	byte[] addressBytes = ip.GetAddressBytes();
	191	for (int i = 0; i < addressBytes.Length - 1; i++)
	192	{
	193	if (addressBytes[i] != 0)
	194	return false;
	195	}
	196
	197	if (addressBytes[addressBytes.Length - 1] != 1)
	198	return false;
	199
	200	return true;
	201	}
	202	}
	203	}