From 8d2b4b7b487f7a35b610d894c03619e638866473 Mon Sep 17 00:00:00 2001 From: Melanie Thielker Date: Thu, 15 Jul 2010 20:03:08 +0200 Subject: Fix a few permissions vulnerability. Owners could cause permissions escalation on items contained in prims using a hacked viewer --- OpenSim/Region/Framework/Scenes/Scene.Inventory.cs | 35 ++++++++++++++++++++-- OpenSim/Region/Framework/Scenes/SceneObjectPart.cs | 3 ++ .../Framework/Scenes/SceneObjectPartInventory.cs | 6 ---- 3 files changed, 35 insertions(+), 9 deletions(-) diff --git a/OpenSim/Region/Framework/Scenes/Scene.Inventory.cs b/OpenSim/Region/Framework/Scenes/Scene.Inventory.cs index c77efc7..e1674be 100644 --- a/OpenSim/Region/Framework/Scenes/Scene.Inventory.cs +++ b/OpenSim/Region/Framework/Scenes/Scene.Inventory.cs @@ -1359,16 +1359,45 @@ namespace OpenSim.Region.Framework.Scenes { agentTransactions.HandleTaskItemUpdateFromTransaction( remoteClient, part, transactionID, currentItem); - } - if (part.Inventory.UpdateInventoryItem(itemInfo)) - { + if ((InventoryType)itemInfo.InvType == InventoryType.Notecard) remoteClient.SendAgentAlertMessage("Notecard saved", false); else if ((InventoryType)itemInfo.InvType == InventoryType.LSL) remoteClient.SendAgentAlertMessage("Script saved", false); else remoteClient.SendAgentAlertMessage("Item saved", false); + } + // Check if we're allowed to mess with permissions + if (!Permissions.IsGod(remoteClient.AgentId)) // Not a god + { + if (remoteClient.AgentId != part.OwnerID) // Not owner + { + // Friends and group members can't change any perms + itemInfo.BasePermissions = currentItem.BasePermissions; + itemInfo.EveryonePermissions = currentItem.EveryonePermissions; + itemInfo.GroupPermissions = currentItem.GroupPermissions; + itemInfo.NextPermissions = currentItem.NextPermissions; + itemInfo.CurrentPermissions = currentItem.CurrentPermissions; + } + else + { + // Owner can't change base, and can change other + // only up to base + // Base ALWAYS has move + currentItem.BasePermissions |= (uint)PermissionMask.Move; + itemInfo.BasePermissions = currentItem.BasePermissions; + itemInfo.EveryonePermissions &= currentItem.BasePermissions; + itemInfo.GroupPermissions &= currentItem.BasePermissions; + itemInfo.CurrentPermissions &= currentItem.BasePermissions; + itemInfo.NextPermissions &= currentItem.BasePermissions; + // Next ALWAYS has move + itemInfo.NextPermissions |= (uint)PermissionMask.Move; + } + + } + if (part.Inventory.UpdateInventoryItem(itemInfo)) + { part.GetProperties(remoteClient); } } diff --git a/OpenSim/Region/Framework/Scenes/SceneObjectPart.cs b/OpenSim/Region/Framework/Scenes/SceneObjectPart.cs index 87b2d74..b19c443 100644 --- a/OpenSim/Region/Framework/Scenes/SceneObjectPart.cs +++ b/OpenSim/Region/Framework/Scenes/SceneObjectPart.cs @@ -4156,6 +4156,9 @@ namespace OpenSim.Region.Framework.Scenes // objects if ((_nextOwnerMask & (uint)PermissionMask.Copy) == 0) _nextOwnerMask |= (uint)PermissionMask.Transfer; + + _nextOwnerMask |= (uint)PermissionMask.Move; + break; } SendFullUpdateToAllClients(); diff --git a/OpenSim/Region/Framework/Scenes/SceneObjectPartInventory.cs b/OpenSim/Region/Framework/Scenes/SceneObjectPartInventory.cs index 0066158..2a3727a 100644 --- a/OpenSim/Region/Framework/Scenes/SceneObjectPartInventory.cs +++ b/OpenSim/Region/Framework/Scenes/SceneObjectPartInventory.cs @@ -762,12 +762,6 @@ namespace OpenSim.Region.Framework.Scenes else if ((InventoryType)item.Type == InventoryType.Notecard) { ScenePresence presence = m_part.ParentGroup.Scene.GetScenePresence(item.OwnerID); - - if (presence != null) - { - presence.ControllingClient.SendAgentAlertMessage( - "Notecard saved", false); - } } m_items[item.ItemID] = item; -- cgit v1.1 From 3f91805afbff1b69ebebcee4ed2593671cf12e12 Mon Sep 17 00:00:00 2001 From: Melanie Thielker Date: Thu, 15 Jul 2010 20:28:18 +0200 Subject: prevent hacked viewers from being able to delete arbitrary items from any prim. Allow friends with perms and shared group members to move or copy things out of prims --- OpenSim/Region/Framework/Scenes/Scene.Inventory.cs | 21 ++++++++++++++++++--- 1 file changed, 18 insertions(+), 3 deletions(-) diff --git a/OpenSim/Region/Framework/Scenes/Scene.Inventory.cs b/OpenSim/Region/Framework/Scenes/Scene.Inventory.cs index e1674be..4575068 100644 --- a/OpenSim/Region/Framework/Scenes/Scene.Inventory.cs +++ b/OpenSim/Region/Framework/Scenes/Scene.Inventory.cs @@ -935,6 +935,9 @@ namespace OpenSim.Region.Framework.Scenes } if (part != null && group != null) { + if (!Permissions.CanEditObjectInventory(part.UUID, remoteClient.AgentId)) + return; + TaskInventoryItem item = group.GetInventoryItem(localID, itemID); if (item == null) return; @@ -1074,9 +1077,21 @@ namespace OpenSim.Region.Framework.Scenes return; } - // Only owner can copy - if (remoteClient.AgentId != taskItem.OwnerID) - return; + TaskInventoryItem item = part.Inventory.GetInventoryItem(itemId); + if ((item.CurrentPermissions & (uint)PermissionMask.Copy) == 0) + { + // If the item to be moved is no copy, we need to be able to + // edit the prim. + if (!Permissions.CanEditObjectInventory(part.UUID, remoteClient.AgentId)) + return; + } + else + { + // If the item is copiable, then we just need to have perms + // on it. The delete check is a pure rights check + if (!Permissions.CanDeleteObject(part.UUID, remoteClient.AgentId)) + return; + } MoveTaskInventoryItem(remoteClient, folderId, part, itemId); } -- cgit v1.1 From 2e5f200b3b571575c6fefe58d2a4a37bf0745303 Mon Sep 17 00:00:00 2001 From: Melanie Thielker Date: Fri, 16 Jul 2010 20:23:41 +0200 Subject: Fix showing CreateSelected on all parts of a rez --- .../CoreModules/Framework/InventoryAccess/InventoryAccessModule.cs | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/OpenSim/Region/CoreModules/Framework/InventoryAccess/InventoryAccessModule.cs b/OpenSim/Region/CoreModules/Framework/InventoryAccess/InventoryAccessModule.cs index 1bf3a66..c300250 100644 --- a/OpenSim/Region/CoreModules/Framework/InventoryAccess/InventoryAccessModule.cs +++ b/OpenSim/Region/CoreModules/Framework/InventoryAccess/InventoryAccessModule.cs @@ -529,7 +529,11 @@ namespace OpenSim.Region.CoreModules.Framework.InventoryAccess // find small items. // if (!attachment) + { group.RootPart.CreateSelected = true; + foreach (SceneObjectPart child in group.Children.Values) + child.CreateSelected = true; + } if (!m_Scene.Permissions.CanRezObject( group.Children.Count, remoteClient.AgentId, pos) -- cgit v1.1 From 236c0f8e8b5f9ef86c8614b53e5f404754c9e8d9 Mon Sep 17 00:00:00 2001 From: Kitto Flora Date: Fri, 16 Jul 2010 22:17:06 +0000 Subject: Fix llSetForecAndTorque([0]) stops linear motion. Mantis #187 --- OpenSim/Region/Physics/ChOdePlugin/ODEPrim.cs | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/OpenSim/Region/Physics/ChOdePlugin/ODEPrim.cs b/OpenSim/Region/Physics/ChOdePlugin/ODEPrim.cs index 6b17ce7..7e70db9 100644 --- a/OpenSim/Region/Physics/ChOdePlugin/ODEPrim.cs +++ b/OpenSim/Region/Physics/ChOdePlugin/ODEPrim.cs @@ -1735,6 +1735,13 @@ namespace OpenSim.Region.Physics.OdePlugin if (m_isphysical) { disableBodySoft(); + + if (Body != IntPtr.Zero) + { + d.BodySetLinearVel(Body, 0f, 0f, 0f); + d.BodySetForce(Body, 0, 0, 0); + enableBodySoft(); + } } } else @@ -1756,6 +1763,7 @@ namespace OpenSim.Region.Physics.OdePlugin d.GeomSetCategoryBits(prim_geom, (int)m_collisionCategories); d.GeomSetCollideBits(prim_geom, (int)m_collisionFlags); } +/* Uhhh - stop the motion if the object is _selected_!! if (m_isphysical) { if (Body != IntPtr.Zero) @@ -1765,6 +1773,7 @@ namespace OpenSim.Region.Physics.OdePlugin enableBodySoft(); } } +*/ } resetCollisionAccounting(); -- cgit v1.1 From 9bf6179d24cc7fd63643627914272adc78385f1e Mon Sep 17 00:00:00 2001 From: Melanie Thielker Date: Sat, 17 Jul 2010 02:26:09 +0200 Subject: Fix scripted give of items --- OpenSim/Region/ScriptEngine/Shared/Api/Implementation/LSL_Api.cs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/OpenSim/Region/ScriptEngine/Shared/Api/Implementation/LSL_Api.cs b/OpenSim/Region/ScriptEngine/Shared/Api/Implementation/LSL_Api.cs index defe633..b196642 100644 --- a/OpenSim/Region/ScriptEngine/Shared/Api/Implementation/LSL_Api.cs +++ b/OpenSim/Region/ScriptEngine/Shared/Api/Implementation/LSL_Api.cs @@ -4177,7 +4177,7 @@ namespace OpenSim.Region.ScriptEngine.Shared.Api byte[] bucket = new byte[17]; bucket[0] = (byte)assetType; - byte[] objBytes = objId.GetBytes(); + byte[] objBytes = agentItem.ID.GetBytes(); Array.Copy(objBytes, 0, bucket, 1, 16); Console.WriteLine("Giving inventory"); -- cgit v1.1 From e06b7ee3689bdfd8d71ef3199edb2fb220ec5c21 Mon Sep 17 00:00:00 2001 From: Melanie Thielker Date: Sat, 17 Jul 2010 02:38:00 +0200 Subject: Make webloading more robust by addign retries --- .../RegionLoader/Web/RegionLoaderWebServer.cs | 48 ++++++++++------------ 1 file changed, 22 insertions(+), 26 deletions(-) diff --git a/OpenSim/Framework/RegionLoader/Web/RegionLoaderWebServer.cs b/OpenSim/Framework/RegionLoader/Web/RegionLoaderWebServer.cs index 0ec4af5..dd224cd 100644 --- a/OpenSim/Framework/RegionLoader/Web/RegionLoaderWebServer.cs +++ b/OpenSim/Framework/RegionLoader/Web/RegionLoaderWebServer.cs @@ -48,6 +48,9 @@ namespace OpenSim.Framework.RegionLoader.Web public RegionInfo[] LoadRegions() { + int tries = 3; + int wait = 2000; + if (m_configSource == null) { m_log.Error("[WEBLOADER]: Unable to load configuration source!"); @@ -64,35 +67,28 @@ namespace OpenSim.Framework.RegionLoader.Web } else { - HttpWebRequest webRequest = (HttpWebRequest) WebRequest.Create(url); - webRequest.Timeout = 30000; //30 Second Timeout - m_log.Debug("[WEBLOADER]: Sending Download Request..."); - HttpWebResponse webResponse = (HttpWebResponse) webRequest.GetResponse(); - m_log.Debug("[WEBLOADER]: Downloading Region Information From Remote Server..."); - StreamReader reader = new StreamReader(webResponse.GetResponseStream()); - string xmlSource = String.Empty; - string tempStr = reader.ReadLine(); - while (tempStr != null) - { - xmlSource = xmlSource + tempStr; - tempStr = reader.ReadLine(); - } - m_log.Debug("[WEBLOADER]: Done downloading region information from server. Total Bytes: " + - xmlSource.Length); - XmlDocument xmlDoc = new XmlDocument(); - xmlDoc.LoadXml(xmlSource); - if (xmlDoc.FirstChild.Name == "Regions") + while (tries > 0) { - RegionInfo[] regionInfos = new RegionInfo[xmlDoc.FirstChild.ChildNodes.Count]; - int i; - for (i = 0; i < xmlDoc.FirstChild.ChildNodes.Count; i++) + HttpWebRequest webRequest = (HttpWebRequest) WebRequest.Create(url); + webRequest.Timeout = 30000; //30 Second Timeout + m_log.Debug("[WEBLOADER]: Sending Download Request..."); + HttpWebResponse webResponse = (HttpWebResponse) webRequest.GetResponse(); + m_log.Debug("[WEBLOADER]: Downloading Region Information From Remote Server..."); + StreamReader reader = new StreamReader(webResponse.GetResponseStream()); + string xmlSource = String.Empty; + string tempStr = reader.ReadLine(); + while (tempStr != null) { - m_log.Debug(xmlDoc.FirstChild.ChildNodes[i].OuterXml); - regionInfos[i] = - new RegionInfo("REGION CONFIG #" + (i + 1), xmlDoc.FirstChild.ChildNodes[i],false,m_configSource); + xmlSource = xmlSource + tempStr; + tempStr = reader.ReadLine(); + } + m_log.Debug("[WEBLOADER]: Request yielded no regions."); + tries--; + if (tries > 0) + { + m_log.Debug("[WEBLOADER]: Retrying"); + System.Threading.Thread.Sleep(wait); } - - return regionInfos; } return null; } -- cgit v1.1 From d1040c9ff9b47b143e456d06801bd6be148bb1b9 Mon Sep 17 00:00:00 2001 From: Melanie Thielker Date: Sat, 17 Jul 2010 02:46:04 +0200 Subject: Replace the screenful of code i deleted. --- .../RegionLoader/Web/RegionLoaderWebServer.cs | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/OpenSim/Framework/RegionLoader/Web/RegionLoaderWebServer.cs b/OpenSim/Framework/RegionLoader/Web/RegionLoaderWebServer.cs index dd224cd..f0ffc2c 100644 --- a/OpenSim/Framework/RegionLoader/Web/RegionLoaderWebServer.cs +++ b/OpenSim/Framework/RegionLoader/Web/RegionLoaderWebServer.cs @@ -82,6 +82,25 @@ namespace OpenSim.Framework.RegionLoader.Web xmlSource = xmlSource + tempStr; tempStr = reader.ReadLine(); } + m_log.Debug("[WEBLOADER]: Done downloading region information from server. Total Bytes: " + + xmlSource.Length); + XmlDocument xmlDoc = new XmlDocument(); + xmlDoc.LoadXml(xmlSource); + if (xmlDoc.FirstChild.Name == "Regions") + { + RegionInfo[] regionInfos = new RegionInfo[xmlDoc.FirstChild.ChildNodes.Count]; + int i; + for (i = 0; i < xmlDoc.FirstChild.ChildNodes.Count; i++) + { + m_log.Debug(xmlDoc.FirstChild.ChildNodes[i].OuterXml); + regionInfos[i] = + new RegionInfo("REGION CONFIG #" + (i + 1), xmlDoc.FirstChild.ChildNodes[i],false,m_configSource); + } + + if (i > 0) + return regionInfos; + } + m_log.Debug("[WEBLOADER]: Request yielded no regions."); tries--; if (tries > 0) -- cgit v1.1