1 files changed, 256 insertions, 0 deletions
diff --git a/OpenSim/Framework/Communications/OutboundUrlFilter.cs b/OpenSim/Framework/Communications/OutboundUrlFilter.cs
new file mode 100644
index 0000000..8b572d1
--- /dev/null
+++ b/OpenSim/Framework/Communications/OutboundUrlFilter.cs
@@ -0,0 +1,256 @@
+/*
+ * Copyright (c) Contributors, http://opensimulator.org/
+ * See CONTRIBUTORS.TXT for a full list of copyright holders.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *     * Redistributions of source code must retain the above copyright
+ *       notice, this list of conditions and the following disclaimer.
+ *     * Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *     * Neither the name of the OpenSimulator Project nor the
+ *       names of its contributors may be used to endorse or promote products
+ *       derived from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE DEVELOPERS ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED. IN NO EVENT SHALL THE CONTRIBUTORS BE LIABLE FOR ANY
+ * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Net;
+using System.Reflection;
+using log4net;
+using LukeSkywalker.IPNetwork;
+using Nini.Config;
+namespace OpenSim.Framework.Communications
+{
+    public class OutboundUrlFilter
+    {
+        private static readonly ILog m_log = LogManager.GetLogger(MethodBase.GetCurrentMethod().DeclaringType);
+        public string Name { get; private set; }
+        private List<IPNetwork> m_blacklistNetworks;
+        private List<IPEndPoint> m_blacklistEndPoints;
+        private List<IPNetwork> m_blacklistExceptionNetworks;
+        private List<IPEndPoint> m_blacklistExceptionEndPoints;
+        public OutboundUrlFilter(
+            string name, 
+            List<IPNetwork> blacklistNetworks, List<IPEndPoint> blacklistEndPoints, 
+            List<IPNetwork> blacklistExceptionNetworks, List<IPEndPoint> blacklistExceptionEndPoints)
+        {
+            Name = name;
+            m_blacklistNetworks = blacklistNetworks;
+            m_blacklistEndPoints = blacklistEndPoints;
+            m_blacklistExceptionNetworks = blacklistExceptionNetworks;
+            m_blacklistExceptionEndPoints = blacklistExceptionEndPoints;
+        }
+        /// <summary>
+        /// Initializes a new instance of the <see cref="OpenSim.Framework.Communications.OutboundUrlFilter"/> class.
+        /// </summary>
+        /// <param name="name">Name of the filter for logging purposes.</param>
+        /// <param name="config">Filter configuration</param>
+        public OutboundUrlFilter(string name, IConfigSource config)
+        {
+            Name = name;
+            string configBlacklist
+                = "0.0.0.0/8|10.0.0.0/8|100.64.0.0/10|127.0.0.0/8|169.254.0.0/16|172.16.0.0/12|192.0.0.0/24|192.0.2.0/24|192.88.99.0/24|192.168.0.0/16|198.18.0.0/15|198.51.100.0/24|203.0.113.0/24|224.0.0.0/4|240.0.0.0/4|255.255.255.255/32";
+            string configBlacklistExceptions = "";
+            IConfig networkConfig = config.Configs["Network"];
+            if (networkConfig != null)
+            {
+                configBlacklist = networkConfig.GetString("OutboundDisallowForUserScripts", configBlacklist);
+                configBlacklistExceptions 
+                    = networkConfig.GetString("OutboundDisallowForUserScriptsExcept", configBlacklistExceptions);
+            }
+            m_log.DebugFormat(
+                "[OUTBOUND URL FILTER]: OutboundDisallowForUserScripts for {0} is [{1}]", Name, configBlacklist);
+            m_log.DebugFormat(
+                "[OUTBOUND URL FILTER]: OutboundDisallowForUserScriptsExcept for {0} is [{1}]", Name, configBlacklistExceptions);
+            OutboundUrlFilter.ParseConfigList(
+                configBlacklist, Name, out m_blacklistNetworks, out m_blacklistEndPoints);
+            OutboundUrlFilter.ParseConfigList(
+                configBlacklistExceptions, Name, out m_blacklistExceptionNetworks, out m_blacklistExceptionEndPoints);
+        }
+        private static void ParseConfigList(
+            string fullConfigEntry, string filterName, out List<IPNetwork> networks, out List<IPEndPoint> endPoints)
+        {
+            // Parse blacklist
+            string[] configBlacklistEntries 
+                = fullConfigEntry.Split(new char[] { '|' }, StringSplitOptions.RemoveEmptyEntries);
+            configBlacklistEntries = configBlacklistEntries.Select(e => e.Trim()).ToArray();
+            networks = new List<IPNetwork>();
+            endPoints = new List<IPEndPoint>();
+            foreach (string configEntry in configBlacklistEntries)
+            {
+                if (configEntry.Contains("/"))
+                {
+                    IPNetwork network;
+                    if (!IPNetwork.TryParse(configEntry, out network))
+                    {
+                        m_log.ErrorFormat(
+                            "[OUTBOUND URL FILTER]: Entry [{0}] is invalid network for {1}", configEntry, filterName);
+                        continue;
+                    }
+                    networks.Add(network);
+                }
+                else
+                {
+                    Uri configEntryUri;
+                    if (!Uri.TryCreate("http://" + configEntry, UriKind.Absolute, out configEntryUri))
+                    {
+                        m_log.ErrorFormat(
+                            "[OUTBOUND URL FILTER]: EndPoint entry [{0}] is invalid endpoint for {1}", 
+                            configEntry, filterName);
+                        continue;
+                    }
+                    IPAddress[] addresses = Dns.GetHostAddresses(configEntryUri.Host);
+                    foreach (IPAddress addr in addresses)
+                    {
+                        if (addr.AddressFamily == System.Net.Sockets.AddressFamily.InterNetwork)
+                        {
+                            //                        m_log.DebugFormat("[OUTBOUND URL FILTER]: Found address [{0}] in config", addr);
+                            IPEndPoint configEntryEp = new IPEndPoint(addr, configEntryUri.Port);
+                            endPoints.Add(configEntryEp);
+                            //                        m_log.DebugFormat("[OUTBOUND URL FILTER]: Added blacklist exception [{0}]", configEntryEp);
+                        }
+                    }
+                }
+            }
+        }
+        /// <summary>
+        /// Determines if an url is in a list of networks and endpoints.
+        /// </summary>
+        /// <returns></returns>
+        /// <param name="url">IP address</param>
+        /// <param name="port"></param>
+        /// <param name="networks">Networks.</param>
+        /// <param name="endPoints">End points.</param>
+        /// <param name="filterName">Filter name.</param>
+        private static bool IsInNetwork(
+            IPAddress addr, int port, List<IPNetwork> networks, List<IPEndPoint> endPoints, string filterName)
+        {
+            foreach (IPNetwork ipn in networks)
+            {
+//                                            m_log.DebugFormat(
+//                                                "[OUTBOUND URL FILTER]: Checking [{0}] against network [{1}]", addr, ipn);
+                if (IPNetwork.Contains(ipn, addr))
+                {
+//                                                    m_log.DebugFormat(
+//                                                        "[OUTBOUND URL FILTER]: Found [{0}] in network [{1}]", addr, ipn);
+                    return true;
+                }
+            }
+            //                    m_log.DebugFormat("[OUTBOUND URL FILTER]: Found address [{0}]", addr);
+            foreach (IPEndPoint ep in endPoints)
+            {
+//                m_log.DebugFormat(
+//                    "[OUTBOUND URL FILTER]: Checking [{0}:{1}] against endpoint [{2}]", 
+//                    addr, port, ep);
+                if (addr.Equals(ep.Address) && port == ep.Port)
+                {
+//                    m_log.DebugFormat(
+//                        "[OUTBOUND URL FILTER]: Found [{0}:{1}] in endpoint [{2}]", addr, port, ep);
+                                        
+                    return true;
+                }
+            }
+//            m_log.DebugFormat("[OUTBOUND URL FILTER]: Did not find [{0}:{1}] in list", addr, port);
+            return false;
+        }
+        /// <summary>
+        /// Checks whether the given url is allowed by the filter.
+        /// </summary>
+        /// <returns></returns>
+        public bool CheckAllowed(Uri url)
+        {
+            bool allowed = true;
+            // Check that we are permitted to make calls to this endpoint.
+            bool foundIpv4Address = false;
+            IPAddress[] addresses = Dns.GetHostAddresses(url.Host);
+            foreach (IPAddress addr in addresses)
+            {
+                if (addr.AddressFamily == System.Net.Sockets.AddressFamily.InterNetwork)
+                {
+//                    m_log.DebugFormat("[OUTBOUND URL FILTER]: Found address [{0}]", addr);
+                    foundIpv4Address = true;
+                    // Check blacklist
+                    if (OutboundUrlFilter.IsInNetwork(addr, url.Port, m_blacklistNetworks, m_blacklistEndPoints, Name))
+                    {
+//                        m_log.DebugFormat("[OUTBOUND URL FILTER]: Found [{0}] in blacklist for {1}", url, Name);
+                        // Check blacklist exceptions
+                        allowed 
+                            = OutboundUrlFilter.IsInNetwork(
+                                addr, url.Port, m_blacklistExceptionNetworks, m_blacklistExceptionEndPoints, Name);
+//                        if (allowed)
+//                            m_log.DebugFormat("[OUTBOUND URL FILTER]: Found [{0}] in whitelist for {1}", url, Name);
+                    }
+                }
+                // Found at least one address in a blacklist and not a blacklist exception
+                if (!allowed)
+                    return false;
+//                else
+//                    m_log.DebugFormat("[OUTBOUND URL FILTER]: URL [{0}] not in blacklist for {1}", url, Name);
+            }
+            // We do not know how to handle IPv6 securely yet.
+            if (!foundIpv4Address)
+                return false;
+//            m_log.DebugFormat("[OUTBOUND URL FILTER]: Allowing request [{0}]", url);
+            return allowed;
+        }
+    }
+}
+\ No newline at end of file

diff --git a/OpenSim/Framework/Communications/OutboundUrlFilter.cs b/OpenSim/Framework/Communications/OutboundUrlFilter.cs new file mode 100644 index 0000000..8b572d1 --- /dev/null +++ b/OpenSim/Framework/Communications/OutboundUrlFilter.cs
@@ -0,0 +1,256 @@
	1	/*
	2	* Copyright (c) Contributors, http://opensimulator.org/
	3	* See CONTRIBUTORS.TXT for a full list of copyright holders.
	4	*
	5	* Redistribution and use in source and binary forms, with or without
	6	* modification, are permitted provided that the following conditions are met:
	7	* * Redistributions of source code must retain the above copyright
	8	* notice, this list of conditions and the following disclaimer.
	9	* * Redistributions in binary form must reproduce the above copyright
	10	* notice, this list of conditions and the following disclaimer in the
	11	* documentation and/or other materials provided with the distribution.
	12	* * Neither the name of the OpenSimulator Project nor the
	13	* names of its contributors may be used to endorse or promote products
	14	* derived from this software without specific prior written permission.
	15	*
	16	* THIS SOFTWARE IS PROVIDED BY THE DEVELOPERS ``AS IS'' AND ANY
	17	* EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
	18	* WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
	19	* DISCLAIMED. IN NO EVENT SHALL THE CONTRIBUTORS BE LIABLE FOR ANY
	20	* DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
	21	* (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
	22	* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
	23	* ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
	24	* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
	25	* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
	26	*/
	27
	28	using System;
	29	using System.Collections.Generic;
	30	using System.Linq;
	31	using System.Net;
	32	using System.Reflection;
	33	using log4net;
	34	using LukeSkywalker.IPNetwork;
	35	using Nini.Config;
	36
	37	namespace OpenSim.Framework.Communications
	38	{
	39	public class OutboundUrlFilter
	40	{
	41	private static readonly ILog m_log = LogManager.GetLogger(MethodBase.GetCurrentMethod().DeclaringType);
	42
	43	public string Name { get; private set; }
	44
	45	private List<IPNetwork> m_blacklistNetworks;
	46	private List<IPEndPoint> m_blacklistEndPoints;
	47
	48	private List<IPNetwork> m_blacklistExceptionNetworks;
	49	private List<IPEndPoint> m_blacklistExceptionEndPoints;
	50
	51	public OutboundUrlFilter(
	52	string name,
	53	List<IPNetwork> blacklistNetworks, List<IPEndPoint> blacklistEndPoints,
	54	List<IPNetwork> blacklistExceptionNetworks, List<IPEndPoint> blacklistExceptionEndPoints)
	55	{
	56	Name = name;
	57
	58	m_blacklistNetworks = blacklistNetworks;
	59	m_blacklistEndPoints = blacklistEndPoints;
	60	m_blacklistExceptionNetworks = blacklistExceptionNetworks;
	61	m_blacklistExceptionEndPoints = blacklistExceptionEndPoints;
	62	}
	63
	64	/// <summary>
	65	/// Initializes a new instance of the <see cref="OpenSim.Framework.Communications.OutboundUrlFilter"/> class.
	66	/// </summary>
	67	/// <param name="name">Name of the filter for logging purposes.</param>
	68	/// <param name="config">Filter configuration</param>
	69	public OutboundUrlFilter(string name, IConfigSource config)
	70	{
	71	Name = name;
	72
	73	string configBlacklist
	74	= "0.0.0.0/8\|10.0.0.0/8\|100.64.0.0/10\|127.0.0.0/8\|169.254.0.0/16\|172.16.0.0/12\|192.0.0.0/24\|192.0.2.0/24\|192.88.99.0/24\|192.168.0.0/16\|198.18.0.0/15\|198.51.100.0/24\|203.0.113.0/24\|224.0.0.0/4\|240.0.0.0/4\|255.255.255.255/32";
	75	string configBlacklistExceptions = "";
	76
	77	IConfig networkConfig = config.Configs["Network"];
	78
	79	if (networkConfig != null)
	80	{
	81	configBlacklist = networkConfig.GetString("OutboundDisallowForUserScripts", configBlacklist);
	82	configBlacklistExceptions
	83	= networkConfig.GetString("OutboundDisallowForUserScriptsExcept", configBlacklistExceptions);
	84	}
	85
	86	m_log.DebugFormat(
	87	"[OUTBOUND URL FILTER]: OutboundDisallowForUserScripts for {0} is [{1}]", Name, configBlacklist);
	88	m_log.DebugFormat(
	89	"[OUTBOUND URL FILTER]: OutboundDisallowForUserScriptsExcept for {0} is [{1}]", Name, configBlacklistExceptions);
	90
	91	OutboundUrlFilter.ParseConfigList(
	92	configBlacklist, Name, out m_blacklistNetworks, out m_blacklistEndPoints);
	93	OutboundUrlFilter.ParseConfigList(
	94	configBlacklistExceptions, Name, out m_blacklistExceptionNetworks, out m_blacklistExceptionEndPoints);
	95	}
	96
	97	private static void ParseConfigList(
	98	string fullConfigEntry, string filterName, out List<IPNetwork> networks, out List<IPEndPoint> endPoints)
	99	{
	100	// Parse blacklist
	101	string[] configBlacklistEntries
	102	= fullConfigEntry.Split(new char[] { '\|' }, StringSplitOptions.RemoveEmptyEntries);
	103
	104	configBlacklistEntries = configBlacklistEntries.Select(e => e.Trim()).ToArray();
	105
	106	networks = new List<IPNetwork>();
	107	endPoints = new List<IPEndPoint>();
	108
	109	foreach (string configEntry in configBlacklistEntries)
	110	{
	111	if (configEntry.Contains("/"))
	112	{
	113	IPNetwork network;
	114
	115	if (!IPNetwork.TryParse(configEntry, out network))
	116	{
	117	m_log.ErrorFormat(
	118	"[OUTBOUND URL FILTER]: Entry [{0}] is invalid network for {1}", configEntry, filterName);
	119
	120	continue;
	121	}
	122
	123	networks.Add(network);
	124	}
	125	else
	126	{
	127	Uri configEntryUri;
	128
	129	if (!Uri.TryCreate("http://" + configEntry, UriKind.Absolute, out configEntryUri))
	130	{
	131	m_log.ErrorFormat(
	132	"[OUTBOUND URL FILTER]: EndPoint entry [{0}] is invalid endpoint for {1}",
	133	configEntry, filterName);
	134
	135	continue;
	136	}
	137
	138	IPAddress[] addresses = Dns.GetHostAddresses(configEntryUri.Host);
	139
	140	foreach (IPAddress addr in addresses)
	141	{
	142	if (addr.AddressFamily == System.Net.Sockets.AddressFamily.InterNetwork)
	143	{
	144	// m_log.DebugFormat("[OUTBOUND URL FILTER]: Found address [{0}] in config", addr);
	145
	146	IPEndPoint configEntryEp = new IPEndPoint(addr, configEntryUri.Port);
	147	endPoints.Add(configEntryEp);
	148
	149	// m_log.DebugFormat("[OUTBOUND URL FILTER]: Added blacklist exception [{0}]", configEntryEp);
	150	}
	151	}
	152	}
	153	}
	154	}
	155
	156	/// <summary>
	157	/// Determines if an url is in a list of networks and endpoints.
	158	/// </summary>
	159	/// <returns></returns>
	160	/// <param name="url">IP address</param>
	161	/// <param name="port"></param>
	162	/// <param name="networks">Networks.</param>
	163	/// <param name="endPoints">End points.</param>
	164	/// <param name="filterName">Filter name.</param>
	165	private static bool IsInNetwork(
	166	IPAddress addr, int port, List<IPNetwork> networks, List<IPEndPoint> endPoints, string filterName)
	167	{
	168	foreach (IPNetwork ipn in networks)
	169	{
	170	// m_log.DebugFormat(
	171	// "[OUTBOUND URL FILTER]: Checking [{0}] against network [{1}]", addr, ipn);
	172
	173	if (IPNetwork.Contains(ipn, addr))
	174	{
	175	// m_log.DebugFormat(
	176	// "[OUTBOUND URL FILTER]: Found [{0}] in network [{1}]", addr, ipn);
	177
	178	return true;
	179	}
	180	}
	181
	182	// m_log.DebugFormat("[OUTBOUND URL FILTER]: Found address [{0}]", addr);
	183
	184	foreach (IPEndPoint ep in endPoints)
	185	{
	186	// m_log.DebugFormat(
	187	// "[OUTBOUND URL FILTER]: Checking [{0}:{1}] against endpoint [{2}]",
	188	// addr, port, ep);
	189
	190	if (addr.Equals(ep.Address) && port == ep.Port)
	191	{
	192	// m_log.DebugFormat(
	193	// "[OUTBOUND URL FILTER]: Found [{0}:{1}] in endpoint [{2}]", addr, port, ep);
	194
	195	return true;
	196	}
	197	}
	198
	199	// m_log.DebugFormat("[OUTBOUND URL FILTER]: Did not find [{0}:{1}] in list", addr, port);
	200
	201	return false;
	202	}
	203
	204	/// <summary>
	205	/// Checks whether the given url is allowed by the filter.
	206	/// </summary>
	207	/// <returns></returns>
	208	public bool CheckAllowed(Uri url)
	209	{
	210	bool allowed = true;
	211
	212	// Check that we are permitted to make calls to this endpoint.
	213	bool foundIpv4Address = false;
	214
	215	IPAddress[] addresses = Dns.GetHostAddresses(url.Host);
	216
	217	foreach (IPAddress addr in addresses)
	218	{
	219	if (addr.AddressFamily == System.Net.Sockets.AddressFamily.InterNetwork)
	220	{
	221	// m_log.DebugFormat("[OUTBOUND URL FILTER]: Found address [{0}]", addr);
	222
	223	foundIpv4Address = true;
	224
	225	// Check blacklist
	226	if (OutboundUrlFilter.IsInNetwork(addr, url.Port, m_blacklistNetworks, m_blacklistEndPoints, Name))
	227	{
	228	// m_log.DebugFormat("[OUTBOUND URL FILTER]: Found [{0}] in blacklist for {1}", url, Name);
	229
	230	// Check blacklist exceptions
	231	allowed
	232	= OutboundUrlFilter.IsInNetwork(
	233	addr, url.Port, m_blacklistExceptionNetworks, m_blacklistExceptionEndPoints, Name);
	234
	235	// if (allowed)
	236	// m_log.DebugFormat("[OUTBOUND URL FILTER]: Found [{0}] in whitelist for {1}", url, Name);
	237	}
	238	}
	239
	240	// Found at least one address in a blacklist and not a blacklist exception
	241	if (!allowed)
	242	return false;
	243	// else
	244	// m_log.DebugFormat("[OUTBOUND URL FILTER]: URL [{0}] not in blacklist for {1}", url, Name);
	245	}
	246
	247	// We do not know how to handle IPv6 securely yet.
	248	if (!foundIpv4Address)
	249	return false;
	250
	251	// m_log.DebugFormat("[OUTBOUND URL FILTER]: Allowing request [{0}]", url);
	252
	253	return allowed;
	254	}
	255	}
	256	} \ No newline at end of file