aboutsummaryrefslogtreecommitdiffstatshomepage
path: root/OpenSim/Framework/UntrustedWebRequest.cs
diff options
context:
space:
mode:
Diffstat (limited to 'OpenSim/Framework/UntrustedWebRequest.cs')
-rw-r--r--OpenSim/Framework/UntrustedWebRequest.cs203
1 files changed, 203 insertions, 0 deletions
diff --git a/OpenSim/Framework/UntrustedWebRequest.cs b/OpenSim/Framework/UntrustedWebRequest.cs
new file mode 100644
index 0000000..1af7c41
--- /dev/null
+++ b/OpenSim/Framework/UntrustedWebRequest.cs
@@ -0,0 +1,203 @@
1using System;
2using System.Collections.Generic;
3using System.IO;
4using System.Net;
5using System.Net.Security;
6using System.Text;
7using log4net;
8
9namespace OpenSim.Framework
10{
11 /// <summary>
12 /// Used for requests to untrusted endpoints that may potentially be
13 /// malicious
14 /// </summary>
15 public static class UntrustedHttpWebRequest
16 {
17 /// <summary>Setting this to true will allow HTTP connections to localhost</summary>
18 private const bool DEBUG = true;
19
20 private static readonly ILog m_log =
21 LogManager.GetLogger(
22 System.Reflection.MethodBase.GetCurrentMethod().DeclaringType);
23
24 private static readonly ICollection<string> allowableSchemes = new List<string> { "http", "https" };
25
26 /// <summary>
27 /// Creates an HttpWebRequest that is hardened against malicious
28 /// endpoints after ensuring the given Uri is safe to retrieve
29 /// </summary>
30 /// <param name="uri">Web location to request</param>
31 /// <returns>A hardened HttpWebRequest if the uri was determined to be safe</returns>
32 /// <exception cref="ArgumentNullException">If uri is null</exception>
33 /// <exception cref="ArgumentException">If uri is unsafe</exception>
34 public static HttpWebRequest Create(Uri uri)
35 {
36 return Create(uri, DEBUG, 1000 * 5, 1000 * 20, 10);
37 }
38
39 /// <summary>
40 /// Creates an HttpWebRequest that is hardened against malicious
41 /// endpoints after ensuring the given Uri is safe to retrieve
42 /// </summary>
43 /// <param name="uri">Web location to request</param>
44 /// <param name="allowLoopback">True to allow connections to localhost, otherwise false</param>
45 /// <param name="readWriteTimeoutMS">Read write timeout, in milliseconds</param>
46 /// <param name="timeoutMS">Connection timeout, in milliseconds</param>
47 /// <param name="maximumRedirects">Maximum number of allowed redirects</param>
48 /// <returns>A hardened HttpWebRequest if the uri was determined to be safe</returns>
49 /// <exception cref="ArgumentNullException">If uri is null</exception>
50 /// <exception cref="ArgumentException">If uri is unsafe</exception>
51 public static HttpWebRequest Create(Uri uri, bool allowLoopback, int readWriteTimeoutMS, int timeoutMS, int maximumRedirects)
52 {
53 if (uri == null)
54 throw new ArgumentNullException("uri");
55
56 if (!IsUriAllowable(uri, allowLoopback))
57 throw new ArgumentException("Uri " + uri + " was rejected");
58
59 HttpWebRequest httpWebRequest = (HttpWebRequest)HttpWebRequest.Create(uri);
60 httpWebRequest.MaximumAutomaticRedirections = maximumRedirects;
61 httpWebRequest.ReadWriteTimeout = readWriteTimeoutMS;
62 httpWebRequest.Timeout = timeoutMS;
63 httpWebRequest.KeepAlive = false;
64
65 return httpWebRequest;
66 }
67
68 public static string PostToUntrustedUrl(Uri url, string data)
69 {
70 try
71 {
72 byte[] requestData = System.Text.Encoding.UTF8.GetBytes(data);
73
74 HttpWebRequest request = Create(url);
75 request.Method = "POST";
76 request.ContentLength = requestData.Length;
77 request.ContentType = "application/x-www-form-urlencoded";
78
79 using (Stream requestStream = request.GetRequestStream())
80 requestStream.Write(requestData, 0, requestData.Length);
81
82 using (WebResponse response = request.GetResponse())
83 {
84 using (Stream responseStream = response.GetResponseStream())
85 return responseStream.GetStreamString();
86 }
87 }
88 catch (Exception ex)
89 {
90 m_log.Warn("POST to untrusted URL " + url + " failed: " + ex.Message);
91 return null;
92 }
93 }
94
95 public static string GetUntrustedUrl(Uri url)
96 {
97 try
98 {
99 HttpWebRequest request = Create(url);
100
101 using (WebResponse response = request.GetResponse())
102 {
103 using (Stream responseStream = response.GetResponseStream())
104 return responseStream.GetStreamString();
105 }
106 }
107 catch (Exception ex)
108 {
109 m_log.Warn("GET from untrusted URL " + url + " failed: " + ex.Message);
110 return null;
111 }
112 }
113
114 /// <summary>
115 /// Determines whether a URI is allowed based on scheme and host name.
116 /// No requireSSL check is done here
117 /// </summary>
118 /// <param name="allowLoopback">True to allow loopback addresses to be used</param>
119 /// <param name="uri">The URI to test for whether it should be allowed.</param>
120 /// <returns>
121 /// <c>true</c> if [is URI allowable] [the specified URI]; otherwise, <c>false</c>.
122 /// </returns>
123 private static bool IsUriAllowable(Uri uri, bool allowLoopback)
124 {
125 if (!allowableSchemes.Contains(uri.Scheme))
126 {
127 m_log.WarnFormat("Rejecting URL {0} because it uses a disallowed scheme.", uri);
128 return false;
129 }
130
131 // Try to interpret the hostname as an IP address so we can test for internal
132 // IP address ranges. Note that IP addresses can appear in many forms
133 // (e.g. http://127.0.0.1, http://2130706433, http://0x0100007f, http://::1
134 // So we convert them to a canonical IPAddress instance, and test for all
135 // non-routable IP ranges: 10.*.*.*, 127.*.*.*, ::1
136 // Note that Uri.IsLoopback is very unreliable, not catching many of these variants.
137 IPAddress hostIPAddress;
138 if (IPAddress.TryParse(uri.DnsSafeHost, out hostIPAddress))
139 {
140 byte[] addressBytes = hostIPAddress.GetAddressBytes();
141
142 // The host is actually an IP address.
143 switch (hostIPAddress.AddressFamily)
144 {
145 case System.Net.Sockets.AddressFamily.InterNetwork:
146 if (!allowLoopback && (addressBytes[0] == 127 || addressBytes[0] == 10))
147 {
148 m_log.WarnFormat("Rejecting URL {0} because it is a loopback address.", uri);
149 return false;
150 }
151 break;
152 case System.Net.Sockets.AddressFamily.InterNetworkV6:
153 if (!allowLoopback && IsIPv6Loopback(hostIPAddress))
154 {
155 m_log.WarnFormat("Rejecting URL {0} because it is a loopback address.", uri);
156 return false;
157 }
158 break;
159 default:
160 m_log.WarnFormat("Rejecting URL {0} because it does not use an IPv4 or IPv6 address.", uri);
161 return false;
162 }
163 }
164 else
165 {
166 // The host is given by name. We require names to contain periods to
167 // help make sure it's not an internal address.
168 if (!allowLoopback && !uri.Host.Contains("."))
169 {
170 m_log.WarnFormat("Rejecting URL {0} because it does not contain a period in the host name.", uri);
171 return false;
172 }
173 }
174
175 return true;
176 }
177
178 /// <summary>
179 /// Determines whether an IP address is the IPv6 equivalent of "localhost/127.0.0.1".
180 /// </summary>
181 /// <param name="ip">The ip address to check.</param>
182 /// <returns>
183 /// <c>true</c> if this is a loopback IP address; <c>false</c> otherwise.
184 /// </returns>
185 private static bool IsIPv6Loopback(IPAddress ip)
186 {
187 if (ip == null)
188 throw new ArgumentNullException("ip");
189
190 byte[] addressBytes = ip.GetAddressBytes();
191 for (int i = 0; i < addressBytes.Length - 1; i++)
192 {
193 if (addressBytes[i] != 0)
194 return false;
195 }
196
197 if (addressBytes[addressBytes.Length - 1] != 1)
198 return false;
199
200 return true;
201 }
202 }
203}