From 344c9caeb671f3d9dab80f05d18a7dc9f3075bc1 Mon Sep 17 00:00:00 2001 From: Johan Berntsson Date: Wed, 23 Jul 2008 06:59:02 +0000 Subject: thanks lulurun for a security patch that blocks unathorized access to the inventory server (see http://opensimulator.org/wiki/Security_vulnerability_brought_by_non-check_inventory_service) --- OpenSim/Grid/InventoryServer/Main.cs | 39 ++++++++++++++++++------------------ 1 file changed, 20 insertions(+), 19 deletions(-) (limited to 'OpenSim/Grid/InventoryServer/Main.cs') diff --git a/OpenSim/Grid/InventoryServer/Main.cs b/OpenSim/Grid/InventoryServer/Main.cs index 2ab1916..138aa1a 100644 --- a/OpenSim/Grid/InventoryServer/Main.cs +++ b/OpenSim/Grid/InventoryServer/Main.cs @@ -70,7 +70,8 @@ namespace OpenSim.Grid.InventoryServer m_config = new InventoryConfig(LogName, (Path.Combine(Util.configDir(), "InventoryServer_Config.xml"))); - m_inventoryService = new GridInventoryService(); + //m_inventoryService = new GridInventoryService(); + m_inventoryService = new GridInventoryService(m_config.UserServerURL); m_inventoryService.AddPlugin(m_config.DatabaseProvider, m_config.DatabaseConnect); m_log.Info("[" + LogName + "]: Starting HTTP server ..."); @@ -85,36 +86,36 @@ namespace OpenSim.Grid.InventoryServer protected void AddHttpHandlers() { m_httpServer.AddStreamHandler( - new RestDeserialiseHandler( - "POST", "/GetInventory/", m_inventoryService.GetUserInventory)); + new RestDeserialiseSecureHandler( + "POST", "/GetInventory/", m_inventoryService.GetUserInventory, m_inventoryService.CheckAuthSession)); m_httpServer.AddStreamHandler( - new RestDeserialiseHandler( - "POST", "/CreateInventory/", m_inventoryService.CreateUsersInventory)); + new RestDeserialiseTrustedHandler( + "POST", "/CreateInventory/", m_inventoryService.CreateUsersInventory, m_inventoryService.CheckTrustSource)); m_httpServer.AddStreamHandler( - new RestDeserialiseHandler( - "POST", "/NewFolder/", m_inventoryService.AddFolder)); + new RestDeserialiseSecureHandler( + "POST", "/NewFolder/", m_inventoryService.AddFolder, m_inventoryService.CheckAuthSession)); m_httpServer.AddStreamHandler( - new RestDeserialiseHandler( - "POST", "/UpdateFolder/", m_inventoryService.UpdateFolder)); + new RestDeserialiseSecureHandler( + "POST", "/UpdateFolder/", m_inventoryService.UpdateFolder, m_inventoryService.CheckAuthSession)); m_httpServer.AddStreamHandler( - new RestDeserialiseHandler( - "POST", "/MoveFolder/", m_inventoryService.MoveFolder)); + new RestDeserialiseSecureHandler( + "POST", "/MoveFolder/", m_inventoryService.MoveFolder, m_inventoryService.CheckAuthSession)); m_httpServer.AddStreamHandler( - new RestDeserialiseHandler( - "POST", "/PurgeFolder/", m_inventoryService.PurgeFolder)); + new RestDeserialiseSecureHandler( + "POST", "/PurgeFolder/", m_inventoryService.PurgeFolder, m_inventoryService.CheckAuthSession)); m_httpServer.AddStreamHandler( - new RestDeserialiseHandler( - "POST", "/NewItem/", m_inventoryService.AddItem)); + new RestDeserialiseSecureHandler( + "POST", "/NewItem/", m_inventoryService.AddItem, m_inventoryService.CheckAuthSession)); m_httpServer.AddStreamHandler( - new RestDeserialiseHandler( - "POST", "/DeleteItem/", m_inventoryService.DeleteItem)); + new RestDeserialiseSecureHandler( + "POST", "/DeleteItem/", m_inventoryService.DeleteItem, m_inventoryService.CheckAuthSession)); // WARNING: Root folders no longer just delivers the root and immediate child folders (e.g // system folders such as Objects, Textures), but it now returns the entire inventory skeleton. @@ -122,8 +123,8 @@ namespace OpenSim.Grid.InventoryServer // (e.g. any http request not found is automatically treated as an xmlrpc request) make it easier // to do this for now. m_httpServer.AddStreamHandler( - new RestDeserialiseHandler> - ("POST", "/RootFolders/", m_inventoryService.GetInventorySkeleton)); + new RestDeserialiseTrustedHandler> + ("POST", "/RootFolders/", m_inventoryService.GetInventorySkeleton, m_inventoryService.CheckTrustSource)); } private void Work() -- cgit v1.1