From 0413d052a3ec541164049e7d39278c57fb92ed06 Mon Sep 17 00:00:00 2001
From: diva
Date: Tue, 14 Apr 2009 19:35:35 +0000
Subject: Adds session authentication upon NewUserConnections. Adds user key
authentication (in safemode only) upon CreateChildAgents. All of this for
Hypergrid users too. This addresses assorted spoofing vulnerabilities.
---
.../Grid/UserServer.Modules/UserLoginService.cs | 1 +
OpenSim/Grid/UserServer.Modules/UserManager.cs | 85 ++++------------------
2 files changed, 15 insertions(+), 71 deletions(-)
(limited to 'OpenSim/Grid')
diff --git a/OpenSim/Grid/UserServer.Modules/UserLoginService.cs b/OpenSim/Grid/UserServer.Modules/UserLoginService.cs
index 3598ac6..795efaa 100644
--- a/OpenSim/Grid/UserServer.Modules/UserLoginService.cs
+++ b/OpenSim/Grid/UserServer.Modules/UserLoginService.cs
@@ -83,6 +83,7 @@ namespace OpenSim.Grid.UserServer.Modules
m_httpServer.AddXmlRPCHandler("login_to_simulator", XmlRpcLoginMethod);
m_httpServer.AddHTTPHandler("login", ProcessHTMLLogin);
m_httpServer.AddXmlRPCHandler("set_login_params", XmlRPCSetLoginParams);
+ m_httpServer.AddXmlRPCHandler("check_auth_session", XmlRPCCheckAuthSession);
if (registerLLSDHandler)
{
diff --git a/OpenSim/Grid/UserServer.Modules/UserManager.cs b/OpenSim/Grid/UserServer.Modules/UserManager.cs
index 515c2bf..33b43e4 100644
--- a/OpenSim/Grid/UserServer.Modules/UserManager.cs
+++ b/OpenSim/Grid/UserServer.Modules/UserManager.cs
@@ -109,7 +109,6 @@ namespace OpenSim.Grid.UserServer.Modules
m_httpServer.AddXmlRPCHandler("update_user_current_region", XmlRPCAtRegion);
m_httpServer.AddXmlRPCHandler("logout_of_simulator", XmlRPCLogOffUserMethodUUID);
m_httpServer.AddXmlRPCHandler("get_agent_by_uuid", XmlRPCGetAgentMethodUUID);
- m_httpServer.AddXmlRPCHandler("check_auth_session", XmlRPCCheckAuthSession);
m_httpServer.AddXmlRPCHandler("update_user_profile", XmlRpcResponseXmlRPCUpdateUserProfile);
@@ -133,21 +132,6 @@ namespace OpenSim.Grid.UserServer.Modules
return "OK";
}
- ///
- /// Returns an error message that the user could not be found in the database
- ///
- /// XML string consisting of a error element containing individual error(s)
- public XmlRpcResponse CreateUnknownUserErrorResponse()
- {
- XmlRpcResponse response = new XmlRpcResponse();
- Hashtable responseData = new Hashtable();
- responseData["error_type"] = "unknown_user";
- responseData["error_desc"] = "The user requested is not in the database";
-
- response.Value = responseData;
- return response;
- }
-
public XmlRpcResponse AvatarPickerListtoXmlRPCResponse(UUID queryID, List returnUsers)
{
XmlRpcResponse response = new XmlRpcResponse();
@@ -278,7 +262,7 @@ namespace OpenSim.Grid.UserServer.Modules
string query = (string)requestData["avatar_name"];
if (null == query)
- return CreateUnknownUserErrorResponse();
+ return Util.CreateUnknownUserErrorResponse();
// Regex objAlphaNumericPattern = new Regex("[^a-zA-Z0-9]");
@@ -289,17 +273,17 @@ namespace OpenSim.Grid.UserServer.Modules
userProfile = m_userDataBaseService.GetUserProfile(querysplit[0], querysplit[1]);
if (userProfile == null)
{
- return CreateUnknownUserErrorResponse();
+ return Util.CreateUnknownUserErrorResponse();
}
}
else
{
- return CreateUnknownUserErrorResponse();
+ return Util.CreateUnknownUserErrorResponse();
}
}
else
{
- return CreateUnknownUserErrorResponse();
+ return Util.CreateUnknownUserErrorResponse();
}
return ProfileToXmlRPCResponse(userProfile);
@@ -322,17 +306,17 @@ namespace OpenSim.Grid.UserServer.Modules
}
catch (FormatException)
{
- return CreateUnknownUserErrorResponse();
+ return Util.CreateUnknownUserErrorResponse();
}
if (userProfile == null)
{
- return CreateUnknownUserErrorResponse();
+ return Util.CreateUnknownUserErrorResponse();
}
}
else
{
- return CreateUnknownUserErrorResponse();
+ return Util.CreateUnknownUserErrorResponse();
}
return ProfileToXmlRPCResponse(userProfile);
@@ -353,20 +337,20 @@ namespace OpenSim.Grid.UserServer.Modules
if (guess == UUID.Zero)
{
- return CreateUnknownUserErrorResponse();
+ return Util.CreateUnknownUserErrorResponse();
}
userProfile = m_userDataBaseService.GetUserProfile(guess);
if (userProfile == null)
{
- return CreateUnknownUserErrorResponse();
+ return Util.CreateUnknownUserErrorResponse();
}
// no agent???
if (userProfile.CurrentAgent == null)
{
- return CreateUnknownUserErrorResponse();
+ return Util.CreateUnknownUserErrorResponse();
}
Hashtable responseData = new Hashtable();
@@ -381,53 +365,12 @@ namespace OpenSim.Grid.UserServer.Modules
}
else
{
- return CreateUnknownUserErrorResponse();
+ return Util.CreateUnknownUserErrorResponse();
}
return response;
}
- public XmlRpcResponse XmlRPCCheckAuthSession(XmlRpcRequest request)
- {
- XmlRpcResponse response = new XmlRpcResponse();
- Hashtable requestData = (Hashtable)request.Params[0];
- UserProfileData userProfile;
-
- string authed = "FALSE";
- if (requestData.Contains("avatar_uuid") && requestData.Contains("session_id"))
- {
- UUID guess_aid;
- UUID guess_sid;
-
- UUID.TryParse((string)requestData["avatar_uuid"], out guess_aid);
- if (guess_aid == UUID.Zero)
- {
- return CreateUnknownUserErrorResponse();
- }
- UUID.TryParse((string)requestData["session_id"], out guess_sid);
- if (guess_sid == UUID.Zero)
- {
- return CreateUnknownUserErrorResponse();
- }
- userProfile = m_userDataBaseService.GetUserProfile(guess_aid);
- if (userProfile != null && userProfile.CurrentAgent != null &&
- userProfile.CurrentAgent.SessionID == guess_sid)
- {
- authed = "TRUE";
- }
- m_log.InfoFormat("[UserManager]: CheckAuthSession TRUE for user {0}", guess_aid);
- }
- else
- {
- m_log.InfoFormat("[UserManager]: CheckAuthSession FALSE");
- return CreateUnknownUserErrorResponse();
- }
- Hashtable responseData = new Hashtable();
- responseData["auth_session"] = authed;
- response.Value = responseData;
- return response;
- }
-
public XmlRpcResponse XmlRpcResponseXmlRPCUpdateUserProfile(XmlRpcRequest request)
{
m_log.Debug("[UserManager]: Got request to update user profile");
@@ -437,14 +380,14 @@ namespace OpenSim.Grid.UserServer.Modules
if (!requestData.Contains("avatar_uuid"))
{
- return CreateUnknownUserErrorResponse();
+ return Util.CreateUnknownUserErrorResponse();
}
UUID UserUUID = new UUID((string)requestData["avatar_uuid"]);
UserProfileData userProfile = m_userDataBaseService.GetUserProfile(UserUUID);
if (null == userProfile)
{
- return CreateUnknownUserErrorResponse();
+ return Util.CreateUnknownUserErrorResponse();
}
// don't know how yet.
if (requestData.Contains("AllowPublish"))
@@ -656,7 +599,7 @@ namespace OpenSim.Grid.UserServer.Modules
}
else
{
- return CreateUnknownUserErrorResponse();
+ return Util.CreateUnknownUserErrorResponse();
}
return response;
--
cgit v1.1