From 344c9caeb671f3d9dab80f05d18a7dc9f3075bc1 Mon Sep 17 00:00:00 2001 From: Johan Berntsson Date: Wed, 23 Jul 2008 06:59:02 +0000 Subject: thanks lulurun for a security patch that blocks unathorized access to the inventory server (see http://opensimulator.org/wiki/Security_vulnerability_brought_by_non-check_inventory_service) --- .../Grid/InventoryServer/GridInventoryService.cs | 41 ++++++++++++++++++++++ OpenSim/Grid/InventoryServer/Main.cs | 39 ++++++++++---------- 2 files changed, 61 insertions(+), 19 deletions(-) (limited to 'OpenSim/Grid/InventoryServer') diff --git a/OpenSim/Grid/InventoryServer/GridInventoryService.cs b/OpenSim/Grid/InventoryServer/GridInventoryService.cs index 5388263..78f33a3 100644 --- a/OpenSim/Grid/InventoryServer/GridInventoryService.cs +++ b/OpenSim/Grid/InventoryServer/GridInventoryService.cs @@ -26,12 +26,15 @@ */ using System; +using System.Collections; using System.Collections.Generic; using System.Reflection; using System.Threading; +using System.Net; using libsecondlife; using log4net; +using Nwc.XmlRpc; using OpenSim.Framework; using OpenSim.Framework.Communications; @@ -46,6 +49,44 @@ namespace OpenSim.Grid.InventoryServer private static readonly ILog m_log = LogManager.GetLogger(MethodBase.GetCurrentMethod().DeclaringType); + private string m_userserver_url; + + public GridInventoryService(string userserver_url) + { + m_userserver_url = userserver_url; + } + + public bool CheckTrustSource(IPEndPoint peer) + { + m_log.InfoFormat("[GRID AGENT INVENTORY]: checking trusted source {0}", peer.ToString()); + UriBuilder ub = new UriBuilder(m_userserver_url); + if (ub.Host == peer.Address.ToString()) + { + return true; + } + return false; + } + + public bool CheckAuthSession(string session_id, string avatar_id) + { + m_log.InfoFormat("[GRID AGENT INVENTORY]: checking authed session {0} {1}", session_id, avatar_id); + Hashtable requestData = new Hashtable(); + requestData["avatar_uuid"] = avatar_id; + requestData["session_id"] = session_id; + ArrayList SendParams = new ArrayList(); + SendParams.Add(requestData); + XmlRpcRequest UserReq = new XmlRpcRequest("check_auth_session", SendParams); + XmlRpcResponse UserResp = UserReq.Send(m_userserver_url, 3000); + + Hashtable responseData = (Hashtable)UserResp.Value; + + if (responseData.ContainsKey("auth_session") && responseData["auth_session"].ToString() == "TRUE") + { + return true; + } + return false; + } + public override void RequestInventoryForUser(LLUUID userID, InventoryReceiptCallback callback) { } diff --git a/OpenSim/Grid/InventoryServer/Main.cs b/OpenSim/Grid/InventoryServer/Main.cs index 2ab1916..138aa1a 100644 --- a/OpenSim/Grid/InventoryServer/Main.cs +++ b/OpenSim/Grid/InventoryServer/Main.cs @@ -70,7 +70,8 @@ namespace OpenSim.Grid.InventoryServer m_config = new InventoryConfig(LogName, (Path.Combine(Util.configDir(), "InventoryServer_Config.xml"))); - m_inventoryService = new GridInventoryService(); + //m_inventoryService = new GridInventoryService(); + m_inventoryService = new GridInventoryService(m_config.UserServerURL); m_inventoryService.AddPlugin(m_config.DatabaseProvider, m_config.DatabaseConnect); m_log.Info("[" + LogName + "]: Starting HTTP server ..."); @@ -85,36 +86,36 @@ namespace OpenSim.Grid.InventoryServer protected void AddHttpHandlers() { m_httpServer.AddStreamHandler( - new RestDeserialiseHandler( - "POST", "/GetInventory/", m_inventoryService.GetUserInventory)); + new RestDeserialiseSecureHandler( + "POST", "/GetInventory/", m_inventoryService.GetUserInventory, m_inventoryService.CheckAuthSession)); m_httpServer.AddStreamHandler( - new RestDeserialiseHandler( - "POST", "/CreateInventory/", m_inventoryService.CreateUsersInventory)); + new RestDeserialiseTrustedHandler( + "POST", "/CreateInventory/", m_inventoryService.CreateUsersInventory, m_inventoryService.CheckTrustSource)); m_httpServer.AddStreamHandler( - new RestDeserialiseHandler( - "POST", "/NewFolder/", m_inventoryService.AddFolder)); + new RestDeserialiseSecureHandler( + "POST", "/NewFolder/", m_inventoryService.AddFolder, m_inventoryService.CheckAuthSession)); m_httpServer.AddStreamHandler( - new RestDeserialiseHandler( - "POST", "/UpdateFolder/", m_inventoryService.UpdateFolder)); + new RestDeserialiseSecureHandler( + "POST", "/UpdateFolder/", m_inventoryService.UpdateFolder, m_inventoryService.CheckAuthSession)); m_httpServer.AddStreamHandler( - new RestDeserialiseHandler( - "POST", "/MoveFolder/", m_inventoryService.MoveFolder)); + new RestDeserialiseSecureHandler( + "POST", "/MoveFolder/", m_inventoryService.MoveFolder, m_inventoryService.CheckAuthSession)); m_httpServer.AddStreamHandler( - new RestDeserialiseHandler( - "POST", "/PurgeFolder/", m_inventoryService.PurgeFolder)); + new RestDeserialiseSecureHandler( + "POST", "/PurgeFolder/", m_inventoryService.PurgeFolder, m_inventoryService.CheckAuthSession)); m_httpServer.AddStreamHandler( - new RestDeserialiseHandler( - "POST", "/NewItem/", m_inventoryService.AddItem)); + new RestDeserialiseSecureHandler( + "POST", "/NewItem/", m_inventoryService.AddItem, m_inventoryService.CheckAuthSession)); m_httpServer.AddStreamHandler( - new RestDeserialiseHandler( - "POST", "/DeleteItem/", m_inventoryService.DeleteItem)); + new RestDeserialiseSecureHandler( + "POST", "/DeleteItem/", m_inventoryService.DeleteItem, m_inventoryService.CheckAuthSession)); // WARNING: Root folders no longer just delivers the root and immediate child folders (e.g // system folders such as Objects, Textures), but it now returns the entire inventory skeleton. @@ -122,8 +123,8 @@ namespace OpenSim.Grid.InventoryServer // (e.g. any http request not found is automatically treated as an xmlrpc request) make it easier // to do this for now. m_httpServer.AddStreamHandler( - new RestDeserialiseHandler> - ("POST", "/RootFolders/", m_inventoryService.GetInventorySkeleton)); + new RestDeserialiseTrustedHandler> + ("POST", "/RootFolders/", m_inventoryService.GetInventorySkeleton, m_inventoryService.CheckTrustSource)); } private void Work() -- cgit v1.1