From 344c9caeb671f3d9dab80f05d18a7dc9f3075bc1 Mon Sep 17 00:00:00 2001 From: Johan Berntsson Date: Wed, 23 Jul 2008 06:59:02 +0000 Subject: thanks lulurun for a security patch that blocks unathorized access to the inventory server (see http://opensimulator.org/wiki/Security_vulnerability_brought_by_non-check_inventory_service) --- .../Communications/Cache/CachedUserInfo.cs | 24 ++++++++++++------ .../Cache/UserProfileCacheService.cs | 29 +++++++++++++++++++++- 2 files changed, 45 insertions(+), 8 deletions(-) (limited to 'OpenSim/Framework/Communications/Cache') diff --git a/OpenSim/Framework/Communications/Cache/CachedUserInfo.cs b/OpenSim/Framework/Communications/Cache/CachedUserInfo.cs index 4e57ead..c125976 100644 --- a/OpenSim/Framework/Communications/Cache/CachedUserInfo.cs +++ b/OpenSim/Framework/Communications/Cache/CachedUserInfo.cs @@ -87,6 +87,9 @@ namespace OpenSim.Framework.Communications.Cache private IDictionary> pendingCategorizationFolders = new Dictionary>(); + private LLUUID m_session_id = LLUUID.Zero; + public LLUUID SessionID { get { return m_session_id; } } + /// /// Constructor /// @@ -98,6 +101,13 @@ namespace OpenSim.Framework.Communications.Cache m_userProfile = userProfile; } + public CachedUserInfo(CommunicationsManager commsManager, UserProfileData userProfile, IClientAPI remoteClient) + { + m_commsManager = commsManager; + m_userProfile = userProfile; + m_session_id = remoteClient.SessionId; + } + /// /// This allows a request to be added to be processed once we receive a user's inventory /// from the inventory service. If we already have the inventory, the request @@ -325,7 +335,7 @@ namespace OpenSim.Framework.Communications.Cache createdBaseFolder.Type = createdFolder.Type; createdBaseFolder.Version = createdFolder.Version; - m_commsManager.InventoryService.AddFolder(createdBaseFolder); + m_commsManager.SecureInventoryService.AddFolder(createdBaseFolder, m_session_id); return true; } @@ -379,7 +389,7 @@ namespace OpenSim.Framework.Communications.Cache baseFolder.Type = (short)type; baseFolder.Version = RootFolder.Version; - m_commsManager.InventoryService.UpdateFolder(baseFolder); + m_commsManager.SecureInventoryService.UpdateFolder(baseFolder, m_session_id); InventoryFolderImpl folder = RootFolder.FindFolder(folderID); if (folder != null) @@ -421,7 +431,7 @@ namespace OpenSim.Framework.Communications.Cache baseFolder.ID = folderID; baseFolder.ParentID = parentID; - m_commsManager.InventoryService.MoveFolder(baseFolder); + m_commsManager.SecureInventoryService.MoveFolder(baseFolder, m_session_id); InventoryFolderImpl folder = RootFolder.FindFolder(folderID); if (folder != null) @@ -468,7 +478,7 @@ namespace OpenSim.Framework.Communications.Cache purgedBaseFolder.Type = purgedFolder.Type; purgedBaseFolder.Version = purgedFolder.Version; - m_commsManager.InventoryService.PurgeFolder(purgedBaseFolder); + m_commsManager.SecureInventoryService.PurgeFolder(purgedBaseFolder, m_session_id); purgedFolder.Purge(); @@ -505,7 +515,7 @@ namespace OpenSim.Framework.Communications.Cache item.Folder = RootFolder.ID; } ItemReceive(item); - m_commsManager.InventoryService.AddItem(item); + m_commsManager.SecureInventoryService.AddItem(item, m_session_id); } else { @@ -525,7 +535,7 @@ namespace OpenSim.Framework.Communications.Cache { if (HasInventory) { - m_commsManager.InventoryService.UpdateItem(item); + m_commsManager.SecureInventoryService.UpdateItem(item, m_session_id); } else { @@ -564,7 +574,7 @@ namespace OpenSim.Framework.Communications.Cache if (RootFolder.DeleteItem(item.ID)) { - return m_commsManager.InventoryService.DeleteItem(item); + return m_commsManager.SecureInventoryService.DeleteItem(item, m_session_id); } } else diff --git a/OpenSim/Framework/Communications/Cache/UserProfileCacheService.cs b/OpenSim/Framework/Communications/Cache/UserProfileCacheService.cs index 0040718..e22dff6 100644 --- a/OpenSim/Framework/Communications/Cache/UserProfileCacheService.cs +++ b/OpenSim/Framework/Communications/Cache/UserProfileCacheService.cs @@ -63,6 +63,33 @@ namespace OpenSim.Framework.Communications.Cache /// A new user has moved into a region in this instance so retrieve their profile from the user service. /// /// + public void AddNewUser(IClientAPI remoteClient) + { + // Potential fix - Multithreading issue. + lock (m_userProfiles) + { + if (!m_userProfiles.ContainsKey(remoteClient.AgentId)) + { + UserProfileData userProfile = m_commsManager.UserService.GetUserProfile(remoteClient.AgentId); + CachedUserInfo userInfo = new CachedUserInfo(m_commsManager, userProfile, remoteClient); + + if (userInfo.UserProfile != null) + { + // The inventory for the user will be populated when they actually enter the scene + m_userProfiles.Add(remoteClient.AgentId, userInfo); + } + else + { + m_log.ErrorFormat("[USER CACHE]: User profile for user {0} not found.", remoteClient.AgentId); + } + } + } + } + + /// + /// A new user has moved into a region in this instance so retrieve their profile from the user service. + /// + /// public void AddNewUser(LLUUID userID) { // Potential fix - Multithreading issue. @@ -119,7 +146,7 @@ namespace OpenSim.Framework.Communications.Cache CachedUserInfo userInfo = GetUserDetails(userID); if (userInfo != null) { - m_commsManager.InventoryService.RequestInventoryForUser(userID, userInfo.InventoryReceive); + m_commsManager.SecureInventoryService.RequestInventoryForUser(userID, userInfo.SessionID, userInfo.InventoryReceive); //IInventoryServices invService = userInfo.GetInventoryService(); //if (invService != null) //{ -- cgit v1.1