From 344c9caeb671f3d9dab80f05d18a7dc9f3075bc1 Mon Sep 17 00:00:00 2001
From: Johan Berntsson
Date: Wed, 23 Jul 2008 06:59:02 +0000
Subject: thanks lulurun for a security patch that blocks unathorized access to
 the inventory server (see
 http://opensimulator.org/wiki/Security_vulnerability_brought_by_non-check_inventory_service)

---
 OpenSim/Grid/UserServer/Main.cs        |  1 +
 OpenSim/Grid/UserServer/UserManager.cs | 39 ++++++++++++++++++++++++++++++++++
 2 files changed, 40 insertions(+)

(limited to 'OpenSim/Grid/UserServer')

diff --git a/OpenSim/Grid/UserServer/Main.cs b/OpenSim/Grid/UserServer/Main.cs
index c7011a9..30a41f4 100644
--- a/OpenSim/Grid/UserServer/Main.cs
+++ b/OpenSim/Grid/UserServer/Main.cs
@@ -142,6 +142,7 @@ namespace OpenSim.Grid.UserServer
             m_httpServer.AddXmlRPCHandler("update_user_current_region", m_userManager.XmlRPCAtRegion);
             m_httpServer.AddXmlRPCHandler("logout_of_simulator", m_userManager.XmlRPCLogOffUserMethodUUID);
             m_httpServer.AddXmlRPCHandler("get_agent_by_uuid", m_userManager.XmlRPCGetAgentMethodUUID);
+            m_httpServer.AddXmlRPCHandler("check_auth_session", m_userManager.XmlRPCCheckAuthSession);
             // Message Server ---> User Server
             m_httpServer.AddXmlRPCHandler("register_messageserver", m_messagesService.XmlRPCRegisterMessageServer);
             m_httpServer.AddXmlRPCHandler("agent_change_region", m_messagesService.XmlRPCUserMovedtoRegion);
diff --git a/OpenSim/Grid/UserServer/UserManager.cs b/OpenSim/Grid/UserServer/UserManager.cs
index ff62d78..a43ade1 100644
--- a/OpenSim/Grid/UserServer/UserManager.cs
+++ b/OpenSim/Grid/UserServer/UserManager.cs
@@ -457,6 +457,45 @@ namespace OpenSim.Grid.UserServer
             return response;
         }
 
+        public XmlRpcResponse XmlRPCCheckAuthSession(XmlRpcRequest request)
+        {
+            XmlRpcResponse response = new XmlRpcResponse();
+            Hashtable requestData = (Hashtable)request.Params[0];
+            UserProfileData userProfile;
+
+            string authed = "FALSE";
+            if (requestData.Contains("avatar_uuid") && requestData.Contains("session_id"))
+            {
+                LLUUID guess_aid = LLUUID.Zero;
+                LLUUID guess_sid = LLUUID.Zero;
+
+                Helpers.TryParse((string)requestData["avatar_uuid"], out guess_aid);
+                if (guess_aid == LLUUID.Zero)
+                {
+                    return CreateUnknownUserErrorResponse();
+                }
+                Helpers.TryParse((string)requestData["session_id"], out guess_sid);
+                if (guess_sid == LLUUID.Zero)
+                {
+                    return CreateUnknownUserErrorResponse();
+                }
+                userProfile = GetUserProfile(guess_aid);
+                if (userProfile != null && userProfile.CurrentAgent != null && userProfile.CurrentAgent.SessionID == guess_sid)
+                {
+                    authed = "TRUE";
+                }
+                m_log.InfoFormat("[UserManager]: CheckAuthSession TRUE for user {0}", guess_aid);
+            }
+            else
+            {
+                m_log.InfoFormat("[UserManager]: CheckAuthSession FALSE");
+                return CreateUnknownUserErrorResponse();
+            }
+            Hashtable responseData = new Hashtable();
+            responseData["auth_session"] = authed;
+            response.Value = responseData;
+            return response;
+        }
 
         public XmlRpcResponse XmlRpcResponseXmlRPCUpdateUserProfile(XmlRpcRequest request)
         {
-- 
cgit v1.1