From 0413d052a3ec541164049e7d39278c57fb92ed06 Mon Sep 17 00:00:00 2001 From: diva Date: Tue, 14 Apr 2009 19:35:35 +0000 Subject: Adds session authentication upon NewUserConnections. Adds user key authentication (in safemode only) upon CreateChildAgents. All of this for Hypergrid users too. This addresses assorted spoofing vulnerabilities. --- OpenSim/Region/Framework/Scenes/Scene.cs | 93 +++++++++++++++++++------------- 1 file changed, 55 insertions(+), 38 deletions(-) (limited to 'OpenSim/Region/Framework') diff --git a/OpenSim/Region/Framework/Scenes/Scene.cs b/OpenSim/Region/Framework/Scenes/Scene.cs index c26adc0..5ffa64c 100644 --- a/OpenSim/Region/Framework/Scenes/Scene.cs +++ b/OpenSim/Region/Framework/Scenes/Scene.cs @@ -40,6 +40,7 @@ using OpenMetaverse.Imaging; using OpenSim.Framework; using OpenSim.Framework.Communications; using OpenSim.Framework.Communications.Cache; +using OpenSim.Framework.Communications.Clients; using OpenSim.Framework.Console; using OpenSim.Region.Framework.Interfaces; using OpenSim.Region.Framework.Scenes.Scripting; @@ -2372,64 +2373,80 @@ namespace OpenSim.Region.Framework.Scenes /// public bool NewUserConnection(AgentCircuitData agent) { - CapsModule.NewUserConnection(agent); + bool goodUserConnection = AuthenticateUser(agent); - ScenePresence sp = m_sceneGraph.GetScenePresence(agent.AgentID); - if (sp != null) + if (goodUserConnection) { - m_log.DebugFormat( - "[SCENE]: Adjusting known seeds for existing agent {0} in {1}", - agent.AgentID, RegionInfo.RegionName); + CapsModule.NewUserConnection(agent); - sp.AdjustKnownSeeds(); + ScenePresence sp = m_sceneGraph.GetScenePresence(agent.AgentID); + if (sp != null) + { + m_log.DebugFormat( + "[SCENE]: Adjusting known seeds for existing agent {0} in {1}", + agent.AgentID, RegionInfo.RegionName); - return true; - } + sp.AdjustKnownSeeds(); - // Don't disable this log message - it's too helpful - m_log.InfoFormat( - "[CONNECTION BEGIN]: Region {0} told of incoming client {1} {2} {3} (circuit code {4})", - RegionInfo.RegionName, agent.firstname, agent.lastname, agent.AgentID, agent.circuitcode); + return true; + } - if (m_regInfo.EstateSettings.IsBanned(agent.AgentID)) - { - m_log.WarnFormat( - "[CONNECTION BEGIN]: Incoming user {0} at {1} is on the region banlist", - agent.AgentID, RegionInfo.RegionName); - //return false; - } + // Don't disable this log message - it's too helpful + m_log.InfoFormat( + "[CONNECTION BEGIN]: Region {0} told of incoming client {1} {2} {3} (circuit code {4})", + RegionInfo.RegionName, agent.firstname, agent.lastname, agent.AgentID, agent.circuitcode); + + if (m_regInfo.EstateSettings.IsBanned(agent.AgentID)) + { + m_log.WarnFormat( + "[CONNECTION BEGIN]: Incoming user {0} at {1} is on the region banlist", + agent.AgentID, RegionInfo.RegionName); + //return false; + } - CapsModule.AddCapsHandler(agent.AgentID); + CapsModule.AddCapsHandler(agent.AgentID); - if (!agent.child) - { - // Honor parcel landing type and position. - ILandObject land = LandChannel.GetLandObject(agent.startpos.X, agent.startpos.Y); - if (land != null) + if (!agent.child) { - if (land.landData.LandingType == (byte)1 && land.landData.UserLocation != Vector3.Zero) + // Honor parcel landing type and position. + ILandObject land = LandChannel.GetLandObject(agent.startpos.X, agent.startpos.Y); + if (land != null) { - agent.startpos = land.landData.UserLocation; + if (land.landData.LandingType == (byte)1 && land.landData.UserLocation != Vector3.Zero) + { + agent.startpos = land.landData.UserLocation; + } } } - } - m_authenticateHandler.AddNewCircuit(agent.circuitcode, agent); + m_authenticateHandler.AddNewCircuit(agent.circuitcode, agent); - // rewrite session_id - CachedUserInfo userinfo = CommsManager.UserProfileCacheService.GetUserDetails(agent.AgentID); + // rewrite session_id + CachedUserInfo userinfo = CommsManager.UserProfileCacheService.GetUserDetails(agent.AgentID); + if (userinfo != null) + { + userinfo.SessionID = agent.SessionID; + } + else + { + m_log.WarnFormat( + "[CONNECTION BEGIN]: We couldn't find a User Info record for {0}. This is usually an indication that the UUID we're looking up is invalid", agent.AgentID); + } - if (userinfo != null) - { - userinfo.SessionID = agent.SessionID; + return true; } else { - m_log.WarnFormat( - "[CONNECTION BEGIN]: We couldn't find a User Info record for {0}. This is usually an indication that the UUID we're looking up is invalid", agent.AgentID); + m_log.WarnFormat("[CONNECTION BEGIN]: failed to authenticate user {0} {1}. Denying connection.", agent.firstname, agent.lastname); + return false; } + } - return true; + public virtual bool AuthenticateUser(AgentCircuitData agent) + { + bool result = CommsManager.UserService.VerifySession(agent.AgentID, agent.SessionID); + m_log.Debug("[CONNECTION BEGIN]: User authentication returned " + result); + return result; } public void UpdateCircuitData(AgentCircuitData data) -- cgit v1.1