From 86d4724e24636a360f354656482eaa2a25601e93 Mon Sep 17 00:00:00 2001
From: Justin Clark-Casey (justincc)
Date: Wed, 4 Mar 2015 17:36:35 +0000
Subject: Make private services forbid llHTTPRequest() calls by rejecting those
 that have the X-SecondLife-Shard header.

If you need to enable this, set AllowHttpRequestIn = true in [Network] for all private services or individual [*Service] sections.
---
 bin/Robust.HG.ini.example | 7 +++++++
 bin/Robust.ini.example    | 7 +++++++
 2 files changed, 14 insertions(+)

(limited to 'bin')

diff --git a/bin/Robust.HG.ini.example b/bin/Robust.HG.ini.example
index 5fa4026..872a7f8 100644
--- a/bin/Robust.HG.ini.example
+++ b/bin/Robust.HG.ini.example
@@ -153,6 +153,13 @@
     ;; Hypergrid services are not affected by this; they are publicly available 
     ;; by design.
 
+    ;; By default, scripts are not allowed to call private services via llHttpRequest()
+    ;; Such calls are detected by the X-SecondLife-Shared HTTP header
+    ;; If you allow such calls you must be sure that they are restricted to very trusted scripters
+    ;; (remember scripts can also be in visiting avatar attachments).
+    ;; This can be overriden in individual private service sections if necessary
+    AllowllHTTPRequestIn = false
+
     ; * The following are for the remote console
     ; * They have no effect for the local or basic console types
     ; * Leave commented to diable logins to the console
diff --git a/bin/Robust.ini.example b/bin/Robust.ini.example
index a0b8f50..48deeae 100644
--- a/bin/Robust.ini.example
+++ b/bin/Robust.ini.example
@@ -129,6 +129,13 @@
     ;; This is useful in cases where you want to protect most of the services,
     ;; but unprotect individual services. Username and Password can also be
     ;; overriden if you want to use different credentials for the different services.
+    
+    ;; By default, scripts are not allowed to call private services via llHttpRequest()
+    ;; Such calls are detected by the X-SecondLife-Shared HTTP header
+    ;; If you allow such calls you must be sure that they are restricted to very trusted scripters
+    ;; (remember scripts can also be in visiting avatar attachments).
+    ;; This can be overriden in individual private service sections if necessary
+    AllowllHTTPRequestIn = false
 
     ; * The following are for the remote console
     ; * They have no effect for the local or basic console types
-- 
cgit v1.1