MantisBT - opensim
View Issue Details
0008417opensim[REGION] Script Functionspublic2018-12-08 11:192018-12-11 10:52
unregi 
 
normalminoralways
patch includedopen 
mono 5.16.0.179Debian GNU/Linux9
0.9.0.1 
 
Grid (1 Region per Sim)
BulletSim
Mono / Linux64
5.x
Firestorm 5.1.7
0008417: llSetContentType doeasn't set Content-Type
llSetContentType does nothing. It's always "text/plain". I also tested it on SandboxPlaza, also didn't work. I tried to test it on some other Sims, but most seem to have the RegionURL for LSL not set in the config files and make llRequestURL impossible in the first place.
1. Run attached script
2. Click on Link that pops up (open in the built-in browser)
3. Browser writes the text with HTML tags and doesn't parse it to an HTML page
Should be able to also work on external Browser if you set its Useragent to something that includes "SecondLife" and use it from the same IP as the Viewer (according to comments on line 2004 and 2000 in LSL_Api.cs).
No tags attached.
? content-type-test.lsl (1,354) 2018-12-08 11:19
http://opensimulator.org/mantis/file_download.php?file_id=4804&type=bug
patch 0001-Remove-OpenID-cookie-check-agni_sl_session_id-from-S.patch (4,504) 2018-12-08 12:43
http://opensimulator.org/mantis/file_download.php?file_id=4805&type=bug
Issue History
2018-12-08 11:19unregiNew Issue
2018-12-08 11:19unregiFile Added: content-type-test.lsl
2018-12-08 11:27unregiNote Added: 0033580
2018-12-08 11:28UbitUmarovNote Added: 0033581
2018-12-08 12:43unregiFile Added: 0001-Remove-OpenID-cookie-check-agni_sl_session_id-from-S.patch
2018-12-08 12:55unregiNote Added: 0033582
2018-12-08 12:56UbitUmarovNote Added: 0033583
2018-12-08 13:03unregiNote Edited: 0033582bug_revision_view_page.php?bugnote_id=33582#r7412
2018-12-09 03:41unregiStatusnew => patch included
2018-12-11 06:40melanieNote Added: 0033605
2018-12-11 07:19melanieNote Edited: 0033605bug_revision_view_page.php?bugnote_id=33605#r7421
2018-12-11 07:37unregiNote Added: 0033606
2018-12-11 07:38unregiNote Edited: 0033606bug_revision_view_page.php?bugnote_id=33606#r7423
2018-12-11 10:52UbitUmarovNote Added: 0033610

Notes
(0033580)
unregi   
2018-12-08 11:27   
osSetContentType (which skips the checks for useragent, same IP and owner in region) doesn't work either.
(0033581)
UbitUmarov   
2018-12-08 11:28   
it does several checks, some mb outdated
take a look to LSL_APi.cs for details
and the spec at http://wiki.secondlife.com/wiki/LlSetContentType [^]

ill try some testing when ive the time..
(0033582)
unregi   
2018-12-08 12:55   
(edited on: 2018-12-08 13:03)
LSLHttp Module is checking an OpenID 'agni_sl_session_id' cookie and declines changes to the ContentType if there is none.
This is also affection osSetContentType, which has afaik the purpose of skipping all the checks.

Current Firestorm doesn't seem to set that cookie. Or maybe it's just set when the Region is on the same host as the Login Service that set that Cookie, like browsers usually behave?
http://hg.phoenixviewer.com/phoenix-firestorm-lgpl/file/6ea231474e3b/indra/newview/llviewermedia.cpp [^]
It's all that OpenIDCookie related code here.

I would remove that check (attached patch), because SecondLife doesn't seem to check that cookie either, i can connect from external browser with the same IP and UserAgent set to "SecondLife" perfectly fine to the script, without having that cookie.

(0033583)
UbitUmarov   
2018-12-08 12:56   
ok ill look as soon as possible thx
(0033605)
melanie   
2018-12-11 06:40   
(edited on: 2018-12-11 07:19)
This code has to come back. It is what prevents users of a region to host phishing sites or warez/pr0n links. The ability to send arbitrary content and HTML to any browser but the viewer built-in one can and will lead to region owners or hosters having police at the door.

EDIT: The check for IP address should avert most of the danger.

(0033606)
unregi   
2018-12-11 07:37   
(edited on: 2018-12-11 07:38)
According to the SL wiki, the requirements are:
1. the web browser is the Second Life client
2. the user (logged into the SL client viewing the page) is the owner of the object.
3. the user (logged into the SL client viewing the page) is connected to the region the object is located in

1. is done by Useragent check (not reliable, but its the same that SL does and this alone is already making sure that users can't host phishing websites)
2 and 3. is done by the IP check (also not reliable, but the same that SL does)

The additional check for the Cookie is not done by SL and the cookie is not provided by the current SLViewer, neither by Firestorm. It got provided in the past, when the Viewers used an older webkit implementation for the internal browser.

(0033610)
UbitUmarov   
2018-12-11 10:52   
osSetContentType should only be used by those that understand the implications
I did restricted its use a bit more.

llSetContentType seems working now. Thanks.


note that you may need to set viewers to use internal browser for all.
they do not recognize our regions as "sl" urls and in that case may not send needed information