Security vulnerability brought by non-check inventory service

Problem
With the following conditions, one can simply take over the full control(CRUD) of other user's inventory.
 * 1) InventoryServer is exposed to the public.
 * 2) user's UUID is given

Simply describe in the following figure:
 * InventoryServer is a normal http server, the normal way to use it is:
 * user get the authentication from UserServer
 * user control its inventory through RegionServer
 * But since the InventoryServer accepts any request without check if the user is authenticated, or, even it does not check if the request is from a RegionServer.
 * So, if you know other users' UUID, you can send CRUD http requests directly to the InventoryServer without login.



And AvatarPortability needs a public inventory server, so we have to make a secure one.

Solution

 * every inventory operation packet contains a "session_id" field, but it is never used.
 * so, a secure inventory service could be like this
 * "session_id" is a important information, that is(should be) only transfered in a login session.
 * "expect_user" transfer "session_id" from UserServer to RegionServer only when the authentication is OK, so "expect_user" is safe.
 * method, such like "get_agent_by_uuid" is very dangerous.

RegionServer side
inventory_server_url = http://127.0.0.1:8004 secure_inventory_server = true / false
 * in OpenSim.ini, [Network] section,
 * if the inventory server specified by "inventory_server_url" is a "secure" inventory server, set "secure_inventory_server = true". Then, inventory requests from the region server will have the user's session_id attached
 * else, set "secure_inventory_server = false". In this case, session_id is not attached to inventory requests.
 * Setting secure_inventory_server to false is only useful when you want your region server to connect to an old inventory server which does not expect a session_id.

InventoryServer side
session_lookup = true / false (* for session_lookup please also refer the picture above)
 * in InventoryServer_Config.xml,
 * if you want the inventory server to validate each incoming inventory request by session_id, set session_lookup = true
 * else, set session_lookup = false
 * Setting session_lookup to false makes inventory server accept any request from any client.

*NOTE*

 * Regardless of whether session_lookup is true or false, new inventory server requires a session_id in every inventory request. If you want your region server to connect to a new inventory server, you should always set secure_inventory_server = true in OpenSim.ini.
 * Here new inventory server means inventory server after SVN revision 5600.