From f629fdb88d35d1c2f0a3ce97fdd7d9acdc25e11f Mon Sep 17 00:00:00 2001
From: Melanie Thielker
Date: Sat, 12 Jul 2008 06:24:43 +0000
Subject: Patches #9143 and #9144 (Mantis #1723) Changes the permissions module
 to make scripts permissive only when intended Adds security checks to asset
 transfers to prevent hacked clients fron requesting script sources. Adds
 security checks to llClientView to verify all aspects of ownership and
 permissions for inventory based script retrieval.

---
 OpenSim/Framework/Communications/Cache/AssetCache.cs | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

(limited to 'OpenSim/Framework/Communications')

diff --git a/OpenSim/Framework/Communications/Cache/AssetCache.cs b/OpenSim/Framework/Communications/Cache/AssetCache.cs
index d0bcc98..90b0a10 100644
--- a/OpenSim/Framework/Communications/Cache/AssetCache.cs
+++ b/OpenSim/Framework/Communications/Cache/AssetCache.cs
@@ -445,7 +445,10 @@ namespace OpenSim.Framework.Communications.Cache
                         req.NumPackets = CalculateNumPackets(assetInf.Data);
 
                         RequestedAssets.Remove(assetInf.FullID);
-                        AssetRequests.Add(req);
+                        // If it's a direct request for a script, drop it
+                        // because it's a hacked client
+                        if(req.AssetRequestSource != 2 || assetInf.Type != 10)
+                            AssetRequests.Add(req);
                     }
                 }
             }
@@ -609,6 +612,10 @@ namespace OpenSim.Framework.Communications.Cache
                 return;
             }
 
+            // Scripts cannot be retrieved by direct request
+            if (transferRequest.TransferInfo.SourceType == 2 && asset.Type == 10)
+                return;
+
             // The asset is knosn to exist and is in our cache, so add it to the AssetRequests list
             AssetRequest req = new AssetRequest();
             req.RequestUser = userInfo;
-- 
cgit v1.1