3 files changed, 650 insertions, 0 deletions
diff --git a/OpenSim/Framework/MultipartForm.cs b/OpenSim/Framework/MultipartForm.cs
new file mode 100644
index 0000000..8ba6d22
--- /dev/null
+++ b/OpenSim/Framework/MultipartForm.cs
@@ -0,0 +1,117 @@
+using System;
+using System.Collections.Generic;
+using System.Net;
+using System.IO;
+using System.Text;
+namespace OpenSim.Framework
+{
+    public static class MultipartForm
+    {
+        #region Helper Classes
+        public abstract class Element
+        {
+            public string Name;
+        }
+        public class File : Element
+        {
+            public string Filename;
+            public string ContentType;
+            public byte[] Data;
+            public File(string name, string filename, string contentType, byte[] data)
+            {
+                Name = name;
+                Filename = filename;
+                ContentType = contentType;
+                Data = data;
+            }
+        }
+        public class Parameter : Element
+        {
+            public string Value;
+            public Parameter(string name, string value)
+            {
+                Name = name;
+                Value = value;
+            }
+        }
+        #endregion Helper Classes
+        public static HttpWebResponse Post(HttpWebRequest request, List<Element> postParameters)
+        {
+            string boundary = Boundary();
+            // Set up the request properties
+            request.Method = "POST";
+            request.ContentType = "multipart/form-data; boundary=" + boundary;
+            #region Stream Writing
+            using (MemoryStream formDataStream = new MemoryStream())
+            {
+                foreach (var param in postParameters)
+                {
+                    if (param is File)
+                    {
+                        File file = (File)param;
+                        // Add just the first part of this param, since we will write the file data directly to the Stream
+                        string header = string.Format("--{0}\r\nContent-Disposition: form-data; name=\"{1}\"; filename=\"{2}\";\r\nContent-Type: {3}\r\n\r\n",
+                            boundary,
+                            file.Name,
+                            !String.IsNullOrEmpty(file.Filename) ? file.Filename : "tempfile",
+                            file.ContentType);
+                        formDataStream.Write(Encoding.UTF8.GetBytes(header), 0, header.Length);
+                        formDataStream.Write(file.Data, 0, file.Data.Length);
+                    }
+                    else
+                    {
+                        Parameter parameter = (Parameter)param;
+                        string postData = string.Format("--{0}\r\nContent-Disposition: form-data; name=\"{1}\"\r\n\r\n{2}\r\n",
+                            boundary,
+                            parameter.Name,
+                            parameter.Value);
+                        formDataStream.Write(Encoding.UTF8.GetBytes(postData), 0, postData.Length);
+                    }
+                }
+                // Add the end of the request
+                byte[] footer = Encoding.UTF8.GetBytes("\r\n--" + boundary + "--\r\n");
+                formDataStream.Write(footer, 0, footer.Length);
+                request.ContentLength = formDataStream.Length;
+                // Copy the temporary stream to the network stream
+                formDataStream.Seek(0, SeekOrigin.Begin);
+                using (Stream requestStream = request.GetRequestStream())
+                    formDataStream.CopyTo(requestStream, (int)formDataStream.Length);
+            }
+            #endregion Stream Writing
+            return request.GetResponse() as HttpWebResponse;
+        }
+        private static string Boundary()
+        {
+            Random rnd = new Random();
+            string formDataBoundary = String.Empty;
+            while (formDataBoundary.Length < 15)
+                formDataBoundary = formDataBoundary + rnd.Next();
+            formDataBoundary = formDataBoundary.Substring(0, 15);
+            formDataBoundary = "-----------------------------" + formDataBoundary;
+            return formDataBoundary;
+        }
+    }
+}
diff --git a/OpenSim/Framework/UntrustedWebRequest.cs b/OpenSim/Framework/UntrustedWebRequest.cs
new file mode 100644
index 0000000..1af7c41
--- /dev/null
+++ b/OpenSim/Framework/UntrustedWebRequest.cs
@@ -0,0 +1,203 @@
+using System;
+using System.Collections.Generic;
+using System.IO;
+using System.Net;
+using System.Net.Security;
+using System.Text;
+using log4net;
+namespace OpenSim.Framework
+{
+    /// <summary>
+    /// Used for requests to untrusted endpoints that may potentially be
+    /// malicious
+    /// </summary>
+    public static class UntrustedHttpWebRequest
+    {
+        /// <summary>Setting this to true will allow HTTP connections to localhost</summary>
+        private const bool DEBUG = true;
+        private static readonly ILog m_log =
+                LogManager.GetLogger(
+                System.Reflection.MethodBase.GetCurrentMethod().DeclaringType);
+        private static readonly ICollection<string> allowableSchemes = new List<string> { "http", "https" };
+        /// <summary>
+        /// Creates an HttpWebRequest that is hardened against malicious
+        /// endpoints after ensuring the given Uri is safe to retrieve
+        /// </summary>
+        /// <param name="uri">Web location to request</param>
+        /// <returns>A hardened HttpWebRequest if the uri was determined to be safe</returns>
+        /// <exception cref="ArgumentNullException">If uri is null</exception>
+        /// <exception cref="ArgumentException">If uri is unsafe</exception>
+        public static HttpWebRequest Create(Uri uri)
+        {
+            return Create(uri, DEBUG, 1000 * 5, 1000 * 20, 10);
+        }
+        /// <summary>
+        /// Creates an HttpWebRequest that is hardened against malicious
+        /// endpoints after ensuring the given Uri is safe to retrieve
+        /// </summary>
+        /// <param name="uri">Web location to request</param>
+        /// <param name="allowLoopback">True to allow connections to localhost, otherwise false</param>
+        /// <param name="readWriteTimeoutMS">Read write timeout, in milliseconds</param>
+        /// <param name="timeoutMS">Connection timeout, in milliseconds</param>
+        /// <param name="maximumRedirects">Maximum number of allowed redirects</param>
+        /// <returns>A hardened HttpWebRequest if the uri was determined to be safe</returns>
+        /// <exception cref="ArgumentNullException">If uri is null</exception>
+        /// <exception cref="ArgumentException">If uri is unsafe</exception>
+        public static HttpWebRequest Create(Uri uri, bool allowLoopback, int readWriteTimeoutMS, int timeoutMS, int maximumRedirects)
+        {
+            if (uri == null)
+                throw new ArgumentNullException("uri");
+            if (!IsUriAllowable(uri, allowLoopback))
+                throw new ArgumentException("Uri " + uri + " was rejected");
+            HttpWebRequest httpWebRequest = (HttpWebRequest)HttpWebRequest.Create(uri);
+            httpWebRequest.MaximumAutomaticRedirections = maximumRedirects;
+            httpWebRequest.ReadWriteTimeout = readWriteTimeoutMS;
+            httpWebRequest.Timeout = timeoutMS;
+            httpWebRequest.KeepAlive = false;
+            return httpWebRequest;
+        }
+        public static string PostToUntrustedUrl(Uri url, string data)
+        {
+            try
+            {
+                byte[] requestData = System.Text.Encoding.UTF8.GetBytes(data);
+                HttpWebRequest request = Create(url);
+                request.Method = "POST";
+                request.ContentLength = requestData.Length;
+                request.ContentType = "application/x-www-form-urlencoded";
+                using (Stream requestStream = request.GetRequestStream())
+                    requestStream.Write(requestData, 0, requestData.Length);
+                using (WebResponse response = request.GetResponse())
+                {
+                    using (Stream responseStream = response.GetResponseStream())
+                        return responseStream.GetStreamString();
+                }
+            }
+            catch (Exception ex)
+            {
+                m_log.Warn("POST to untrusted URL " + url + " failed: " + ex.Message);
+                return null;
+            }
+        }
+        public static string GetUntrustedUrl(Uri url)
+        {
+            try
+            {
+                HttpWebRequest request = Create(url);
+                using (WebResponse response = request.GetResponse())
+                {
+                    using (Stream responseStream = response.GetResponseStream())
+                        return responseStream.GetStreamString();
+                }
+            }
+            catch (Exception ex)
+            {
+                m_log.Warn("GET from untrusted URL " + url + " failed: " + ex.Message);
+                return null;
+            }
+        }
+        /// <summary>
+        /// Determines whether a URI is allowed based on scheme and host name.
+        /// No requireSSL check is done here
+        /// </summary>
+        /// <param name="allowLoopback">True to allow loopback addresses to be used</param>
+        /// <param name="uri">The URI to test for whether it should be allowed.</param>
+        /// <returns>
+        ///     <c>true</c> if [is URI allowable] [the specified URI]; otherwise, <c>false</c>.
+        /// </returns>
+        private static bool IsUriAllowable(Uri uri, bool allowLoopback)
+        {
+            if (!allowableSchemes.Contains(uri.Scheme))
+            {
+                m_log.WarnFormat("Rejecting URL {0} because it uses a disallowed scheme.", uri);
+                return false;
+            }
+            // Try to interpret the hostname as an IP address so we can test for internal
+            // IP address ranges.  Note that IP addresses can appear in many forms 
+            // (e.g. http://127.0.0.1, http://2130706433, http://0x0100007f, http://::1
+            // So we convert them to a canonical IPAddress instance, and test for all
+            // non-routable IP ranges: 10.*.*.*, 127.*.*.*, ::1
+            // Note that Uri.IsLoopback is very unreliable, not catching many of these variants.
+            IPAddress hostIPAddress;
+            if (IPAddress.TryParse(uri.DnsSafeHost, out hostIPAddress))
+            {
+                byte[] addressBytes = hostIPAddress.GetAddressBytes();
+                // The host is actually an IP address.
+                switch (hostIPAddress.AddressFamily)
+                {
+                    case System.Net.Sockets.AddressFamily.InterNetwork:
+                        if (!allowLoopback && (addressBytes[0] == 127 || addressBytes[0] == 10))
+                        {
+                            m_log.WarnFormat("Rejecting URL {0} because it is a loopback address.", uri);
+                            return false;
+                        }
+                        break;
+                    case System.Net.Sockets.AddressFamily.InterNetworkV6:
+                        if (!allowLoopback && IsIPv6Loopback(hostIPAddress))
+                        {
+                            m_log.WarnFormat("Rejecting URL {0} because it is a loopback address.", uri);
+                            return false;
+                        }
+                        break;
+                    default:
+                        m_log.WarnFormat("Rejecting URL {0} because it does not use an IPv4 or IPv6 address.", uri);
+                        return false;
+                }
+            }
+            else
+            {
+                // The host is given by name.  We require names to contain periods to
+                // help make sure it's not an internal address.
+                if (!allowLoopback && !uri.Host.Contains("."))
+                {
+                    m_log.WarnFormat("Rejecting URL {0} because it does not contain a period in the host name.", uri);
+                    return false;
+                }
+            }
+            return true;
+        }
+        /// <summary>
+        /// Determines whether an IP address is the IPv6 equivalent of "localhost/127.0.0.1".
+        /// </summary>
+        /// <param name="ip">The ip address to check.</param>
+        /// <returns>
+        ///     <c>true</c> if this is a loopback IP address; <c>false</c> otherwise.
+        /// </returns>
+        private static bool IsIPv6Loopback(IPAddress ip)
+        {
+            if (ip == null)
+                throw new ArgumentNullException("ip");
+            byte[] addressBytes = ip.GetAddressBytes();
+            for (int i = 0; i < addressBytes.Length - 1; i++)
+            {
+                if (addressBytes[i] != 0)
+                    return false;
+            }
+            if (addressBytes[addressBytes.Length - 1] != 1)
+                return false;
+            return true;
+        }
+    }
+}
diff --git a/OpenSim/Framework/WebUtil.cs b/OpenSim/Framework/WebUtil.cs
new file mode 100644
index 0000000..d9782ff
--- /dev/null
+++ b/OpenSim/Framework/WebUtil.cs
@@ -0,0 +1,330 @@
+using System;
+using System.Collections.Generic;
+using System.Collections.Specialized;
+using System.IO;
+using System.Net;
+using System.Net.Security;
+using System.Reflection;
+using System.Text;
+using System.Web;
+using log4net;
+using OpenSim.Framework.Servers.HttpServer;
+using OpenMetaverse.StructuredData;
+namespace OpenSim.Framework
+{
+    /// <summary>
+    /// Miscellaneous static methods and extension methods related to the web
+    /// </summary>
+    public static class WebUtil
+    {
+        private static readonly ILog m_log =
+                LogManager.GetLogger(
+                MethodBase.GetCurrentMethod().DeclaringType);
+        /// <summary>
+        /// Send LLSD to an HTTP client in application/llsd+json form
+        /// </summary>
+        /// <param name="response">HTTP response to send the data in</param>
+        /// <param name="body">LLSD to send to the client</param>
+        public static void SendJSONResponse(OSHttpResponse response, OSDMap body)
+        {
+            byte[] responseData = Encoding.UTF8.GetBytes(OSDParser.SerializeJsonString(body));
+            response.ContentEncoding = Encoding.UTF8;
+            response.ContentLength = responseData.Length;
+            response.ContentType = "application/llsd+json";
+            response.Body.Write(responseData, 0, responseData.Length);
+        }
+        /// <summary>
+        /// Send LLSD to an HTTP client in application/llsd+xml form
+        /// </summary>
+        /// <param name="response">HTTP response to send the data in</param>
+        /// <param name="body">LLSD to send to the client</param>
+        public static void SendXMLResponse(OSHttpResponse response, OSDMap body)
+        {
+            byte[] responseData = OSDParser.SerializeLLSDXmlBytes(body);
+            response.ContentEncoding = Encoding.UTF8;
+            response.ContentLength = responseData.Length;
+            response.ContentType = "application/llsd+xml";
+            response.Body.Write(responseData, 0, responseData.Length);
+        }
+        /// <summary>
+        /// Make a GET or GET-like request to a web service that returns LLSD
+        /// or JSON data
+        /// </summary>
+        public static OSDMap ServiceRequest(string url, string httpVerb)
+        {
+            string errorMessage;
+            try
+            {
+                HttpWebRequest request = (HttpWebRequest)HttpWebRequest.Create(url);
+                request.Method = httpVerb;
+                using (WebResponse response = request.GetResponse())
+                {
+                    using (Stream responseStream = response.GetResponseStream())
+                    {
+                        try
+                        {
+                            string responseStr = responseStream.GetStreamString();
+                            OSD responseOSD = OSDParser.Deserialize(responseStr);
+                            if (responseOSD.Type == OSDType.Map)
+                                return (OSDMap)responseOSD;
+                            else
+                                errorMessage = "Response format was invalid.";
+                        }
+                        catch
+                        {
+                            errorMessage = "Failed to parse the response.";
+                        }
+                    }
+                }
+            }
+            catch (Exception ex)
+            {
+                m_log.Warn("GET from URL " + url + " failed: " + ex.Message);
+                errorMessage = ex.Message;
+            }
+            return new OSDMap { { "Message", OSD.FromString("Service request failed. " + errorMessage) } };
+        }
+        /// <summary>
+        /// POST URL-encoded form data to a web service that returns LLSD or
+        /// JSON data
+        /// </summary>
+        public static OSDMap PostToService(string url, NameValueCollection data)
+        {
+            string errorMessage;
+            try
+            {
+                string queryString = BuildQueryString(data);
+                byte[] requestData = System.Text.Encoding.UTF8.GetBytes(queryString);
+                HttpWebRequest request = (HttpWebRequest)HttpWebRequest.Create(url);
+                request.Method = "POST";
+                request.ContentLength = requestData.Length;
+                request.ContentType = "application/x-www-form-urlencoded";
+                using (Stream requestStream = request.GetRequestStream())
+                    requestStream.Write(requestData, 0, requestData.Length);
+                using (WebResponse response = request.GetResponse())
+                {
+                    using (Stream responseStream = response.GetResponseStream())
+                    {
+                        try
+                        {
+                            string responseStr = responseStream.GetStreamString();
+                            OSD responseOSD = OSDParser.Deserialize(responseStr);
+                            if (responseOSD.Type == OSDType.Map)
+                                return (OSDMap)responseOSD;
+                            else
+                                errorMessage = "Response format was invalid.";
+                        }
+                        catch
+                        {
+                            errorMessage = "Failed to parse the response.";
+                        }
+                    }
+                }
+            }
+            catch (Exception ex)
+            {
+                m_log.Warn("POST to URL " + url + " failed: " + ex.Message);
+                errorMessage = ex.Message;
+            }
+            return new OSDMap { { "Message", OSD.FromString("Service request failed. " + errorMessage) } };
+        }
+        #region Uri
+        /// <summary>
+        /// Combines a Uri that can contain both a base Uri and relative path
+        /// with a second relative path fragment
+        /// </summary>
+        /// <param name="uri">Starting (base) Uri</param>
+        /// <param name="fragment">Relative path fragment to append to the end
+        /// of the Uri</param>
+        /// <returns>The combined Uri</returns>
+        /// <remarks>This is similar to the Uri constructor that takes a base
+        /// Uri and the relative path, except this method can append a relative
+        /// path fragment on to an existing relative path</remarks>
+        public static Uri Combine(this Uri uri, string fragment)
+        {
+            string fragment1 = uri.Fragment;
+            string fragment2 = fragment;
+            if (!fragment1.EndsWith("/"))
+                fragment1 = fragment1 + '/';
+            if (fragment2.StartsWith("/"))
+                fragment2 = fragment2.Substring(1);
+            return new Uri(uri, fragment1 + fragment2);
+        }
+        /// <summary>
+        /// Combines a Uri that can contain both a base Uri and relative path
+        /// with a second relative path fragment. If the fragment is absolute,
+        /// it will be returned without modification
+        /// </summary>
+        /// <param name="uri">Starting (base) Uri</param>
+        /// <param name="fragment">Relative path fragment to append to the end
+        /// of the Uri, or an absolute Uri to return unmodified</param>
+        /// <returns>The combined Uri</returns>
+        public static Uri Combine(this Uri uri, Uri fragment)
+        {
+            if (fragment.IsAbsoluteUri)
+                return fragment;
+            string fragment1 = uri.Fragment;
+            string fragment2 = fragment.ToString();
+            if (!fragment1.EndsWith("/"))
+                fragment1 = fragment1 + '/';
+            if (fragment2.StartsWith("/"))
+                fragment2 = fragment2.Substring(1);
+            return new Uri(uri, fragment1 + fragment2);
+        }
+        /// <summary>
+        /// Appends a query string to a Uri that may or may not have existing 
+        /// query parameters
+        /// </summary>
+        /// <param name="uri">Uri to append the query to</param>
+        /// <param name="query">Query string to append. Can either start with ?
+        /// or just containg key/value pairs</param>
+        /// <returns>String representation of the Uri with the query string
+        /// appended</returns>
+        public static string AppendQuery(this Uri uri, string query)
+        {
+            if (String.IsNullOrEmpty(query))
+                return uri.ToString();
+            if (query[0] == '?' || query[0] == '&')
+                query = query.Substring(1);
+            string uriStr = uri.ToString();
+            if (uriStr.Contains("?"))
+                return uriStr + '&' + query;
+            else
+                return uriStr + '?' + query;
+        }
+        #endregion Uri
+        #region NameValueCollection
+        /// <summary>
+        /// Convert a NameValueCollection into a query string. This is the
+        /// inverse of HttpUtility.ParseQueryString()
+        /// </summary>
+        /// <param name="parameters">Collection of key/value pairs to convert</param>
+        /// <returns>A query string with URL-escaped values</returns>
+        public static string BuildQueryString(NameValueCollection parameters)
+        {
+            List<string> items = new List<string>(parameters.Count);
+            foreach (string key in parameters.Keys)
+            {
+                foreach (string value in parameters.GetValues(key))
+                    items.Add(String.Concat(key, "=", HttpUtility.UrlEncode(value ?? String.Empty)));
+            }
+            return String.Join("&", items.ToArray());
+        }
+        /// <summary>
+        /// 
+        /// </summary>
+        /// <param name="collection"></param>
+        /// <param name="key"></param>
+        /// <returns></returns>
+        public static string GetOne(this NameValueCollection collection, string key)
+        {
+            string[] values = collection.GetValues(key);
+            if (values != null && values.Length > 0)
+                return values[0];
+            return null;
+        }
+        #endregion NameValueCollection
+        #region Stream
+        /// <summary>
+        /// Copies the contents of one stream to another, starting at the 
+        /// current position of each stream
+        /// </summary>
+        /// <param name="copyFrom">The stream to copy from, at the position 
+        /// where copying should begin</param>
+        /// <param name="copyTo">The stream to copy to, at the position where 
+        /// bytes should be written</param>
+        /// <param name="maximumBytesToCopy">The maximum bytes to copy</param>
+        /// <returns>The total number of bytes copied</returns>
+        /// <remarks>
+        /// Copying begins at the streams' current positions. The positions are
+        /// NOT reset after copying is complete.
+        /// </remarks>
+        public static int CopyTo(this Stream copyFrom, Stream copyTo, int maximumBytesToCopy)
+        {
+            byte[] buffer = new byte[4096];
+            int readBytes;
+            int totalCopiedBytes = 0;
+            while ((readBytes = copyFrom.Read(buffer, 0, Math.Min(4096, maximumBytesToCopy))) > 0)
+            {
+                int writeBytes = Math.Min(maximumBytesToCopy, readBytes);
+                copyTo.Write(buffer, 0, writeBytes);
+                totalCopiedBytes += writeBytes;
+                maximumBytesToCopy -= writeBytes;
+            }
+            return totalCopiedBytes;
+        }
+        /// <summary>
+        /// Converts an entire stream to a string, regardless of current stream
+        /// position
+        /// </summary>
+        /// <param name="stream">The stream to convert to a string</param>
+        /// <returns></returns>
+        /// <remarks>When this method is done, the stream position will be 
+        /// reset to its previous position before this method was called</remarks>
+        public static string GetStreamString(this Stream stream)
+        {
+            string value = null;
+            if (stream != null && stream.CanRead)
+            {
+                long rewindPos = -1;
+                if (stream.CanSeek)
+                {
+                    rewindPos = stream.Position;
+                    stream.Seek(0, SeekOrigin.Begin);
+                }
+                StreamReader reader = new StreamReader(stream);
+                value = reader.ReadToEnd();
+                if (rewindPos >= 0)
+                    stream.Seek(rewindPos, SeekOrigin.Begin);
+            }
+            return value;
+        }
+        #endregion Stream
+    }
+}

diff --git a/OpenSim/Framework/MultipartForm.cs b/OpenSim/Framework/MultipartForm.cs new file mode 100644 index 0000000..8ba6d22 --- /dev/null +++ b/OpenSim/Framework/MultipartForm.cs
@@ -0,0 +1,117 @@
	1	using System;
	2	using System.Collections.Generic;
	3	using System.Net;
	4	using System.IO;
	5	using System.Text;
	6
	7	namespace OpenSim.Framework
	8	{
	9	public static class MultipartForm
	10	{
	11	#region Helper Classes
	12
	13	public abstract class Element
	14	{
	15	public string Name;
	16	}
	17
	18	public class File : Element
	19	{
	20	public string Filename;
	21	public string ContentType;
	22	public byte[] Data;
	23
	24	public File(string name, string filename, string contentType, byte[] data)
	25	{
	26	Name = name;
	27	Filename = filename;
	28	ContentType = contentType;
	29	Data = data;
	30	}
	31	}
	32
	33	public class Parameter : Element
	34	{
	35	public string Value;
	36
	37	public Parameter(string name, string value)
	38	{
	39	Name = name;
	40	Value = value;
	41	}
	42	}
	43
	44	#endregion Helper Classes
	45
	46	public static HttpWebResponse Post(HttpWebRequest request, List<Element> postParameters)
	47	{
	48	string boundary = Boundary();
	49
	50	// Set up the request properties
	51	request.Method = "POST";
	52	request.ContentType = "multipart/form-data; boundary=" + boundary;
	53
	54	#region Stream Writing
	55
	56	using (MemoryStream formDataStream = new MemoryStream())
	57	{
	58	foreach (var param in postParameters)
	59	{
	60	if (param is File)
	61	{
	62	File file = (File)param;
	63
	64	// Add just the first part of this param, since we will write the file data directly to the Stream
	65	string header = string.Format("--{0}\r\nContent-Disposition: form-data; name=\"{1}\"; filename=\"{2}\";\r\nContent-Type: {3}\r\n\r\n",
	66	boundary,
	67	file.Name,
	68	!String.IsNullOrEmpty(file.Filename) ? file.Filename : "tempfile",
	69	file.ContentType);
	70
	71	formDataStream.Write(Encoding.UTF8.GetBytes(header), 0, header.Length);
	72	formDataStream.Write(file.Data, 0, file.Data.Length);
	73	}
	74	else
	75	{
	76	Parameter parameter = (Parameter)param;
	77
	78	string postData = string.Format("--{0}\r\nContent-Disposition: form-data; name=\"{1}\"\r\n\r\n{2}\r\n",
	79	boundary,
	80	parameter.Name,
	81	parameter.Value);
	82	formDataStream.Write(Encoding.UTF8.GetBytes(postData), 0, postData.Length);
	83	}
	84	}
	85
	86	// Add the end of the request
	87	byte[] footer = Encoding.UTF8.GetBytes("\r\n--" + boundary + "--\r\n");
	88	formDataStream.Write(footer, 0, footer.Length);
	89
	90	request.ContentLength = formDataStream.Length;
	91
	92	// Copy the temporary stream to the network stream
	93	formDataStream.Seek(0, SeekOrigin.Begin);
	94	using (Stream requestStream = request.GetRequestStream())
	95	formDataStream.CopyTo(requestStream, (int)formDataStream.Length);
	96	}
	97
	98	#endregion Stream Writing
	99
	100	return request.GetResponse() as HttpWebResponse;
	101	}
	102
	103	private static string Boundary()
	104	{
	105	Random rnd = new Random();
	106	string formDataBoundary = String.Empty;
	107
	108	while (formDataBoundary.Length < 15)
	109	formDataBoundary = formDataBoundary + rnd.Next();
	110
	111	formDataBoundary = formDataBoundary.Substring(0, 15);
	112	formDataBoundary = "-----------------------------" + formDataBoundary;
	113
	114	return formDataBoundary;
	115	}
	116	}
	117	}


diff --git a/OpenSim/Framework/UntrustedWebRequest.cs b/OpenSim/Framework/UntrustedWebRequest.cs new file mode 100644 index 0000000..1af7c41 --- /dev/null +++ b/OpenSim/Framework/UntrustedWebRequest.cs
@@ -0,0 +1,203 @@
	1	using System;
	2	using System.Collections.Generic;
	3	using System.IO;
	4	using System.Net;
	5	using System.Net.Security;
	6	using System.Text;
	7	using log4net;
	8
	9	namespace OpenSim.Framework
	10	{
	11	/// <summary>
	12	/// Used for requests to untrusted endpoints that may potentially be
	13	/// malicious
	14	/// </summary>
	15	public static class UntrustedHttpWebRequest
	16	{
	17	/// <summary>Setting this to true will allow HTTP connections to localhost</summary>
	18	private const bool DEBUG = true;
	19
	20	private static readonly ILog m_log =
	21	LogManager.GetLogger(
	22	System.Reflection.MethodBase.GetCurrentMethod().DeclaringType);
	23
	24	private static readonly ICollection<string> allowableSchemes = new List<string> { "http", "https" };
	25
	26	/// <summary>
	27	/// Creates an HttpWebRequest that is hardened against malicious
	28	/// endpoints after ensuring the given Uri is safe to retrieve
	29	/// </summary>
	30	/// <param name="uri">Web location to request</param>
	31	/// <returns>A hardened HttpWebRequest if the uri was determined to be safe</returns>
	32	/// <exception cref="ArgumentNullException">If uri is null</exception>
	33	/// <exception cref="ArgumentException">If uri is unsafe</exception>
	34	public static HttpWebRequest Create(Uri uri)
	35	{
	36	return Create(uri, DEBUG, 1000 * 5, 1000 * 20, 10);
	37	}
	38
	39	/// <summary>
	40	/// Creates an HttpWebRequest that is hardened against malicious
	41	/// endpoints after ensuring the given Uri is safe to retrieve
	42	/// </summary>
	43	/// <param name="uri">Web location to request</param>
	44	/// <param name="allowLoopback">True to allow connections to localhost, otherwise false</param>
	45	/// <param name="readWriteTimeoutMS">Read write timeout, in milliseconds</param>
	46	/// <param name="timeoutMS">Connection timeout, in milliseconds</param>
	47	/// <param name="maximumRedirects">Maximum number of allowed redirects</param>
	48	/// <returns>A hardened HttpWebRequest if the uri was determined to be safe</returns>
	49	/// <exception cref="ArgumentNullException">If uri is null</exception>
	50	/// <exception cref="ArgumentException">If uri is unsafe</exception>
	51	public static HttpWebRequest Create(Uri uri, bool allowLoopback, int readWriteTimeoutMS, int timeoutMS, int maximumRedirects)
	52	{
	53	if (uri == null)
	54	throw new ArgumentNullException("uri");
	55
	56	if (!IsUriAllowable(uri, allowLoopback))
	57	throw new ArgumentException("Uri " + uri + " was rejected");
	58
	59	HttpWebRequest httpWebRequest = (HttpWebRequest)HttpWebRequest.Create(uri);
	60	httpWebRequest.MaximumAutomaticRedirections = maximumRedirects;
	61	httpWebRequest.ReadWriteTimeout = readWriteTimeoutMS;
	62	httpWebRequest.Timeout = timeoutMS;
	63	httpWebRequest.KeepAlive = false;
	64
	65	return httpWebRequest;
	66	}
	67
	68	public static string PostToUntrustedUrl(Uri url, string data)
	69	{
	70	try
	71	{
	72	byte[] requestData = System.Text.Encoding.UTF8.GetBytes(data);
	73
	74	HttpWebRequest request = Create(url);
	75	request.Method = "POST";
	76	request.ContentLength = requestData.Length;
	77	request.ContentType = "application/x-www-form-urlencoded";
	78
	79	using (Stream requestStream = request.GetRequestStream())
	80	requestStream.Write(requestData, 0, requestData.Length);
	81
	82	using (WebResponse response = request.GetResponse())
	83	{
	84	using (Stream responseStream = response.GetResponseStream())
	85	return responseStream.GetStreamString();
	86	}
	87	}
	88	catch (Exception ex)
	89	{
	90	m_log.Warn("POST to untrusted URL " + url + " failed: " + ex.Message);
	91	return null;
	92	}
	93	}
	94
	95	public static string GetUntrustedUrl(Uri url)
	96	{
	97	try
	98	{
	99	HttpWebRequest request = Create(url);
	100
	101	using (WebResponse response = request.GetResponse())
	102	{
	103	using (Stream responseStream = response.GetResponseStream())
	104	return responseStream.GetStreamString();
	105	}
	106	}
	107	catch (Exception ex)
	108	{
	109	m_log.Warn("GET from untrusted URL " + url + " failed: " + ex.Message);
	110	return null;
	111	}
	112	}
	113
	114	/// <summary>
	115	/// Determines whether a URI is allowed based on scheme and host name.
	116	/// No requireSSL check is done here
	117	/// </summary>
	118	/// <param name="allowLoopback">True to allow loopback addresses to be used</param>
	119	/// <param name="uri">The URI to test for whether it should be allowed.</param>
	120	/// <returns>
	121	/// <c>true</c> if [is URI allowable] [the specified URI]; otherwise, <c>false</c>.
	122	/// </returns>
	123	private static bool IsUriAllowable(Uri uri, bool allowLoopback)
	124	{
	125	if (!allowableSchemes.Contains(uri.Scheme))
	126	{
	127	m_log.WarnFormat("Rejecting URL {0} because it uses a disallowed scheme.", uri);
	128	return false;
	129	}
	130
	131	// Try to interpret the hostname as an IP address so we can test for internal
	132	// IP address ranges. Note that IP addresses can appear in many forms
	133	// (e.g. http://127.0.0.1, http://2130706433, http://0x0100007f, http://::1
	134	// So we convert them to a canonical IPAddress instance, and test for all
	135	// non-routable IP ranges: 10..., 127..., ::1
	136	// Note that Uri.IsLoopback is very unreliable, not catching many of these variants.
	137	IPAddress hostIPAddress;
	138	if (IPAddress.TryParse(uri.DnsSafeHost, out hostIPAddress))
	139	{
	140	byte[] addressBytes = hostIPAddress.GetAddressBytes();
	141
	142	// The host is actually an IP address.
	143	switch (hostIPAddress.AddressFamily)
	144	{
	145	case System.Net.Sockets.AddressFamily.InterNetwork:
	146	if (!allowLoopback && (addressBytes[0] == 127 \|\| addressBytes[0] == 10))
	147	{
	148	m_log.WarnFormat("Rejecting URL {0} because it is a loopback address.", uri);
	149	return false;
	150	}
	151	break;
	152	case System.Net.Sockets.AddressFamily.InterNetworkV6:
	153	if (!allowLoopback && IsIPv6Loopback(hostIPAddress))
	154	{
	155	m_log.WarnFormat("Rejecting URL {0} because it is a loopback address.", uri);
	156	return false;
	157	}
	158	break;
	159	default:
	160	m_log.WarnFormat("Rejecting URL {0} because it does not use an IPv4 or IPv6 address.", uri);
	161	return false;
	162	}
	163	}
	164	else
	165	{
	166	// The host is given by name. We require names to contain periods to
	167	// help make sure it's not an internal address.
	168	if (!allowLoopback && !uri.Host.Contains("."))
	169	{
	170	m_log.WarnFormat("Rejecting URL {0} because it does not contain a period in the host name.", uri);
	171	return false;
	172	}
	173	}
	174
	175	return true;
	176	}
	177
	178	/// <summary>
	179	/// Determines whether an IP address is the IPv6 equivalent of "localhost/127.0.0.1".
	180	/// </summary>
	181	/// <param name="ip">The ip address to check.</param>
	182	/// <returns>
	183	/// <c>true</c> if this is a loopback IP address; <c>false</c> otherwise.
	184	/// </returns>
	185	private static bool IsIPv6Loopback(IPAddress ip)
	186	{
	187	if (ip == null)
	188	throw new ArgumentNullException("ip");
	189
	190	byte[] addressBytes = ip.GetAddressBytes();
	191	for (int i = 0; i < addressBytes.Length - 1; i++)
	192	{
	193	if (addressBytes[i] != 0)
	194	return false;
	195	}
	196
	197	if (addressBytes[addressBytes.Length - 1] != 1)
	198	return false;
	199
	200	return true;
	201	}
	202	}
	203	}


diff --git a/OpenSim/Framework/WebUtil.cs b/OpenSim/Framework/WebUtil.cs new file mode 100644 index 0000000..d9782ff --- /dev/null +++ b/OpenSim/Framework/WebUtil.cs
@@ -0,0 +1,330 @@
	1	using System;
	2	using System.Collections.Generic;
	3	using System.Collections.Specialized;
	4	using System.IO;
	5	using System.Net;
	6	using System.Net.Security;
	7	using System.Reflection;
	8	using System.Text;
	9	using System.Web;
	10	using log4net;
	11	using OpenSim.Framework.Servers.HttpServer;
	12	using OpenMetaverse.StructuredData;
	13
	14	namespace OpenSim.Framework
	15	{
	16	/// <summary>
	17	/// Miscellaneous static methods and extension methods related to the web
	18	/// </summary>
	19	public static class WebUtil
	20	{
	21	private static readonly ILog m_log =
	22	LogManager.GetLogger(
	23	MethodBase.GetCurrentMethod().DeclaringType);
	24
	25	/// <summary>
	26	/// Send LLSD to an HTTP client in application/llsd+json form
	27	/// </summary>
	28	/// <param name="response">HTTP response to send the data in</param>
	29	/// <param name="body">LLSD to send to the client</param>
	30	public static void SendJSONResponse(OSHttpResponse response, OSDMap body)
	31	{
	32	byte[] responseData = Encoding.UTF8.GetBytes(OSDParser.SerializeJsonString(body));
	33
	34	response.ContentEncoding = Encoding.UTF8;
	35	response.ContentLength = responseData.Length;
	36	response.ContentType = "application/llsd+json";
	37	response.Body.Write(responseData, 0, responseData.Length);
	38	}
	39
	40	/// <summary>
	41	/// Send LLSD to an HTTP client in application/llsd+xml form
	42	/// </summary>
	43	/// <param name="response">HTTP response to send the data in</param>
	44	/// <param name="body">LLSD to send to the client</param>
	45	public static void SendXMLResponse(OSHttpResponse response, OSDMap body)
	46	{
	47	byte[] responseData = OSDParser.SerializeLLSDXmlBytes(body);
	48
	49	response.ContentEncoding = Encoding.UTF8;
	50	response.ContentLength = responseData.Length;
	51	response.ContentType = "application/llsd+xml";
	52	response.Body.Write(responseData, 0, responseData.Length);
	53	}
	54
	55	/// <summary>
	56	/// Make a GET or GET-like request to a web service that returns LLSD
	57	/// or JSON data
	58	/// </summary>
	59	public static OSDMap ServiceRequest(string url, string httpVerb)
	60	{
	61	string errorMessage;
	62
	63	try
	64	{
	65	HttpWebRequest request = (HttpWebRequest)HttpWebRequest.Create(url);
	66	request.Method = httpVerb;
	67
	68	using (WebResponse response = request.GetResponse())
	69	{
	70	using (Stream responseStream = response.GetResponseStream())
	71	{
	72	try
	73	{
	74	string responseStr = responseStream.GetStreamString();
	75	OSD responseOSD = OSDParser.Deserialize(responseStr);
	76	if (responseOSD.Type == OSDType.Map)
	77	return (OSDMap)responseOSD;
	78	else
	79	errorMessage = "Response format was invalid.";
	80	}
	81	catch
	82	{
	83	errorMessage = "Failed to parse the response.";
	84	}
	85	}
	86	}
	87	}
	88	catch (Exception ex)
	89	{
	90	m_log.Warn("GET from URL " + url + " failed: " + ex.Message);
	91	errorMessage = ex.Message;
	92	}
	93
	94	return new OSDMap { { "Message", OSD.FromString("Service request failed. " + errorMessage) } };
	95	}
	96
	97	/// <summary>
	98	/// POST URL-encoded form data to a web service that returns LLSD or
	99	/// JSON data
	100	/// </summary>
	101	public static OSDMap PostToService(string url, NameValueCollection data)
	102	{
	103	string errorMessage;
	104
	105	try
	106	{
	107	string queryString = BuildQueryString(data);
	108	byte[] requestData = System.Text.Encoding.UTF8.GetBytes(queryString);
	109
	110	HttpWebRequest request = (HttpWebRequest)HttpWebRequest.Create(url);
	111	request.Method = "POST";
	112	request.ContentLength = requestData.Length;
	113	request.ContentType = "application/x-www-form-urlencoded";
	114
	115	using (Stream requestStream = request.GetRequestStream())
	116	requestStream.Write(requestData, 0, requestData.Length);
	117
	118	using (WebResponse response = request.GetResponse())
	119	{
	120	using (Stream responseStream = response.GetResponseStream())
	121	{
	122	try
	123	{
	124	string responseStr = responseStream.GetStreamString();
	125	OSD responseOSD = OSDParser.Deserialize(responseStr);
	126	if (responseOSD.Type == OSDType.Map)
	127	return (OSDMap)responseOSD;
	128	else
	129	errorMessage = "Response format was invalid.";
	130	}
	131	catch
	132	{
	133	errorMessage = "Failed to parse the response.";
	134	}
	135	}
	136	}
	137	}
	138	catch (Exception ex)
	139	{
	140	m_log.Warn("POST to URL " + url + " failed: " + ex.Message);
	141	errorMessage = ex.Message;
	142	}
	143
	144	return new OSDMap { { "Message", OSD.FromString("Service request failed. " + errorMessage) } };
	145	}
	146
	147	#region Uri
	148
	149	/// <summary>
	150	/// Combines a Uri that can contain both a base Uri and relative path
	151	/// with a second relative path fragment
	152	/// </summary>
	153	/// <param name="uri">Starting (base) Uri</param>
	154	/// <param name="fragment">Relative path fragment to append to the end
	155	/// of the Uri</param>
	156	/// <returns>The combined Uri</returns>
	157	/// <remarks>This is similar to the Uri constructor that takes a base
	158	/// Uri and the relative path, except this method can append a relative
	159	/// path fragment on to an existing relative path</remarks>
	160	public static Uri Combine(this Uri uri, string fragment)
	161	{
	162	string fragment1 = uri.Fragment;
	163	string fragment2 = fragment;
	164
	165	if (!fragment1.EndsWith("/"))
	166	fragment1 = fragment1 + '/';
	167	if (fragment2.StartsWith("/"))
	168	fragment2 = fragment2.Substring(1);
	169
	170	return new Uri(uri, fragment1 + fragment2);
	171	}
	172
	173	/// <summary>
	174	/// Combines a Uri that can contain both a base Uri and relative path
	175	/// with a second relative path fragment. If the fragment is absolute,
	176	/// it will be returned without modification
	177	/// </summary>
	178	/// <param name="uri">Starting (base) Uri</param>
	179	/// <param name="fragment">Relative path fragment to append to the end
	180	/// of the Uri, or an absolute Uri to return unmodified</param>
	181	/// <returns>The combined Uri</returns>
	182	public static Uri Combine(this Uri uri, Uri fragment)
	183	{
	184	if (fragment.IsAbsoluteUri)
	185	return fragment;
	186
	187	string fragment1 = uri.Fragment;
	188	string fragment2 = fragment.ToString();
	189
	190	if (!fragment1.EndsWith("/"))
	191	fragment1 = fragment1 + '/';
	192	if (fragment2.StartsWith("/"))
	193	fragment2 = fragment2.Substring(1);
	194
	195	return new Uri(uri, fragment1 + fragment2);
	196	}
	197
	198	/// <summary>
	199	/// Appends a query string to a Uri that may or may not have existing
	200	/// query parameters
	201	/// </summary>
	202	/// <param name="uri">Uri to append the query to</param>
	203	/// <param name="query">Query string to append. Can either start with ?
	204	/// or just containg key/value pairs</param>
	205	/// <returns>String representation of the Uri with the query string
	206	/// appended</returns>
	207	public static string AppendQuery(this Uri uri, string query)
	208	{
	209	if (String.IsNullOrEmpty(query))
	210	return uri.ToString();
	211
	212	if (query[0] == '?' \|\| query[0] == '&')
	213	query = query.Substring(1);
	214
	215	string uriStr = uri.ToString();
	216
	217	if (uriStr.Contains("?"))
	218	return uriStr + '&' + query;
	219	else
	220	return uriStr + '?' + query;
	221	}
	222
	223	#endregion Uri
	224
	225	#region NameValueCollection
	226
	227	/// <summary>
	228	/// Convert a NameValueCollection into a query string. This is the
	229	/// inverse of HttpUtility.ParseQueryString()
	230	/// </summary>
	231	/// <param name="parameters">Collection of key/value pairs to convert</param>
	232	/// <returns>A query string with URL-escaped values</returns>
	233	public static string BuildQueryString(NameValueCollection parameters)
	234	{
	235	List<string> items = new List<string>(parameters.Count);
	236
	237	foreach (string key in parameters.Keys)
	238	{
	239	foreach (string value in parameters.GetValues(key))
	240	items.Add(String.Concat(key, "=", HttpUtility.UrlEncode(value ?? String.Empty)));
	241	}
	242
	243	return String.Join("&", items.ToArray());
	244	}
	245
	246	/// <summary>
	247	///
	248	/// </summary>
	249	/// <param name="collection"></param>
	250	/// <param name="key"></param>
	251	/// <returns></returns>
	252	public static string GetOne(this NameValueCollection collection, string key)
	253	{
	254	string[] values = collection.GetValues(key);
	255	if (values != null && values.Length > 0)
	256	return values[0];
	257
	258	return null;
	259	}
	260
	261	#endregion NameValueCollection
	262
	263	#region Stream
	264
	265	/// <summary>
	266	/// Copies the contents of one stream to another, starting at the
	267	/// current position of each stream
	268	/// </summary>
	269	/// <param name="copyFrom">The stream to copy from, at the position
	270	/// where copying should begin</param>
	271	/// <param name="copyTo">The stream to copy to, at the position where
	272	/// bytes should be written</param>
	273	/// <param name="maximumBytesToCopy">The maximum bytes to copy</param>
	274	/// <returns>The total number of bytes copied</returns>
	275	/// <remarks>
	276	/// Copying begins at the streams' current positions. The positions are
	277	/// NOT reset after copying is complete.
	278	/// </remarks>
	279	public static int CopyTo(this Stream copyFrom, Stream copyTo, int maximumBytesToCopy)
	280	{
	281	byte[] buffer = new byte[4096];
	282	int readBytes;
	283	int totalCopiedBytes = 0;
	284
	285	while ((readBytes = copyFrom.Read(buffer, 0, Math.Min(4096, maximumBytesToCopy))) > 0)
	286	{
	287	int writeBytes = Math.Min(maximumBytesToCopy, readBytes);
	288	copyTo.Write(buffer, 0, writeBytes);
	289	totalCopiedBytes += writeBytes;
	290	maximumBytesToCopy -= writeBytes;
	291	}
	292
	293	return totalCopiedBytes;
	294	}
	295
	296	/// <summary>
	297	/// Converts an entire stream to a string, regardless of current stream
	298	/// position
	299	/// </summary>
	300	/// <param name="stream">The stream to convert to a string</param>
	301	/// <returns></returns>
	302	/// <remarks>When this method is done, the stream position will be
	303	/// reset to its previous position before this method was called</remarks>
	304	public static string GetStreamString(this Stream stream)
	305	{
	306	string value = null;
	307
	308	if (stream != null && stream.CanRead)
	309	{
	310	long rewindPos = -1;
	311
	312	if (stream.CanSeek)
	313	{
	314	rewindPos = stream.Position;
	315	stream.Seek(0, SeekOrigin.Begin);
	316	}
	317
	318	StreamReader reader = new StreamReader(stream);
	319	value = reader.ReadToEnd();
	320
	321	if (rewindPos >= 0)
	322	stream.Seek(rewindPos, SeekOrigin.Begin);
	323	}
	324
	325	return value;
	326	}
	327
	328	#endregion Stream
	329	}
	330	}