From 344c9caeb671f3d9dab80f05d18a7dc9f3075bc1 Mon Sep 17 00:00:00 2001
From: Johan Berntsson
Date: Wed, 23 Jul 2008 06:59:02 +0000
Subject: thanks lulurun for a security patch that blocks unathorized access to
 the inventory server (see
 http://opensimulator.org/wiki/Security_vulnerability_brought_by_non-check_inventory_service)

---
 .../Grid/InventoryServer/GridInventoryService.cs   | 41 ++++++++++++++++++++++
 1 file changed, 41 insertions(+)

(limited to 'OpenSim/Grid/InventoryServer/GridInventoryService.cs')

diff --git a/OpenSim/Grid/InventoryServer/GridInventoryService.cs b/OpenSim/Grid/InventoryServer/GridInventoryService.cs
index 5388263..78f33a3 100644
--- a/OpenSim/Grid/InventoryServer/GridInventoryService.cs
+++ b/OpenSim/Grid/InventoryServer/GridInventoryService.cs
@@ -26,12 +26,15 @@
  */
 
 using System;
+using System.Collections;
 using System.Collections.Generic;
 using System.Reflection;
 using System.Threading;
+using System.Net;
 
 using libsecondlife;
 using log4net;
+using Nwc.XmlRpc;
 
 using OpenSim.Framework;
 using OpenSim.Framework.Communications;
@@ -46,6 +49,44 @@ namespace OpenSim.Grid.InventoryServer
         private static readonly ILog m_log
             = LogManager.GetLogger(MethodBase.GetCurrentMethod().DeclaringType);
 
+        private string m_userserver_url;
+
+        public GridInventoryService(string userserver_url)
+        {
+            m_userserver_url = userserver_url;
+        }
+
+        public bool CheckTrustSource(IPEndPoint peer)
+        {
+            m_log.InfoFormat("[GRID AGENT INVENTORY]: checking trusted source {0}", peer.ToString());
+            UriBuilder ub = new UriBuilder(m_userserver_url);
+            if (ub.Host == peer.Address.ToString())
+            {
+                return true;
+            }
+            return false;
+        }
+
+        public bool CheckAuthSession(string session_id, string avatar_id)
+        {
+            m_log.InfoFormat("[GRID AGENT INVENTORY]: checking authed session {0} {1}", session_id, avatar_id);
+            Hashtable requestData = new Hashtable();
+            requestData["avatar_uuid"] = avatar_id;
+            requestData["session_id"] = session_id;
+            ArrayList SendParams = new ArrayList();
+            SendParams.Add(requestData);
+            XmlRpcRequest UserReq = new XmlRpcRequest("check_auth_session", SendParams);
+            XmlRpcResponse UserResp = UserReq.Send(m_userserver_url, 3000);
+
+            Hashtable responseData = (Hashtable)UserResp.Value;
+
+            if (responseData.ContainsKey("auth_session") && responseData["auth_session"].ToString() == "TRUE")
+            {
+                return true;
+            }
+            return false;
+        }
+
         public override void RequestInventoryForUser(LLUUID userID, InventoryReceiptCallback callback)
         {
         }
-- 
cgit v1.1