Mantis Bug Tracker

View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0008417opensim[REGION] Script Functionspublic2018-12-08 11:192018-12-11 10:52
Assigned To 
Statuspatch includedResolutionopen 
Platformmono GNU/LinuxOS Version9
Product Version0.9.0.1 
Target VersionFixed in Version 
Summary0008417: llSetContentType doeasn't set Content-Type
DescriptionllSetContentType does nothing. It's always "text/plain". I also tested it on SandboxPlaza, also didn't work. I tried to test it on some other Sims, but most seem to have the RegionURL for LSL not set in the config files and make llRequestURL impossible in the first place.
Steps To Reproduce1. Run attached script
2. Click on Link that pops up (open in the built-in browser)
3. Browser writes the text with HTML tags and doesn't parse it to an HTML page
Additional InformationShould be able to also work on external Browser if you set its Useragent to something that includes "SecondLife" and use it from the same IP as the Viewer (according to comments on line 2004 and 2000 in LSL_Api.cs).
TagsNo tags attached.
Git Revision or version number
Run Mode Grid (1 Region per Sim)
Physics EngineBulletSim
EnvironmentMono / Linux64
Mono Version5.x
ViewerFirestorm 5.1.7
Attached Files? file icon content-type-test.lsl [^] (1,354 bytes) 2018-12-08 11:19
patch file icon 0001-Remove-OpenID-cookie-check-agni_sl_session_id-from-S.patch [^] (4,504 bytes) 2018-12-08 12:43 [Show Content]

- Relationships

-  Notes
unregi (reporter)
2018-12-08 11:27

osSetContentType (which skips the checks for useragent, same IP and owner in region) doesn't work either.
UbitUmarov (administrator)
2018-12-08 11:28

it does several checks, some mb outdated
take a look to LSL_APi.cs for details
and the spec at [^]

ill try some testing when ive the time..
unregi (reporter)
2018-12-08 12:55
edited on: 2018-12-08 13:03

LSLHttp Module is checking an OpenID 'agni_sl_session_id' cookie and declines changes to the ContentType if there is none.
This is also affection osSetContentType, which has afaik the purpose of skipping all the checks.

Current Firestorm doesn't seem to set that cookie. Or maybe it's just set when the Region is on the same host as the Login Service that set that Cookie, like browsers usually behave? [^]
It's all that OpenIDCookie related code here.

I would remove that check (attached patch), because SecondLife doesn't seem to check that cookie either, i can connect from external browser with the same IP and UserAgent set to "SecondLife" perfectly fine to the script, without having that cookie.

UbitUmarov (administrator)
2018-12-08 12:56

ok ill look as soon as possible thx
melanie (administrator)
2018-12-11 06:40
edited on: 2018-12-11 07:19

This code has to come back. It is what prevents users of a region to host phishing sites or warez/pr0n links. The ability to send arbitrary content and HTML to any browser but the viewer built-in one can and will lead to region owners or hosters having police at the door.

EDIT: The check for IP address should avert most of the danger.

unregi (reporter)
2018-12-11 07:37
edited on: 2018-12-11 07:38

According to the SL wiki, the requirements are:
1. the web browser is the Second Life client
2. the user (logged into the SL client viewing the page) is the owner of the object.
3. the user (logged into the SL client viewing the page) is connected to the region the object is located in

1. is done by Useragent check (not reliable, but its the same that SL does and this alone is already making sure that users can't host phishing websites)
2 and 3. is done by the IP check (also not reliable, but the same that SL does)

The additional check for the Cookie is not done by SL and the cookie is not provided by the current SLViewer, neither by Firestorm. It got provided in the past, when the Viewers used an older webkit implementation for the internal browser.

UbitUmarov (administrator)
2018-12-11 10:52

osSetContentType should only be used by those that understand the implications
I did restricted its use a bit more.

llSetContentType seems working now. Thanks.

note that you may need to set viewers to use internal browser for all.
they do not recognize our regions as "sl" urls and in that case may not send needed information

- Issue History
Date Modified Username Field Change
2018-12-08 11:19 unregi New Issue
2018-12-08 11:19 unregi File Added: content-type-test.lsl
2018-12-08 11:27 unregi Note Added: 0033580
2018-12-08 11:28 UbitUmarov Note Added: 0033581
2018-12-08 12:43 unregi File Added: 0001-Remove-OpenID-cookie-check-agni_sl_session_id-from-S.patch
2018-12-08 12:55 unregi Note Added: 0033582
2018-12-08 12:56 UbitUmarov Note Added: 0033583
2018-12-08 13:03 unregi Note Edited: 0033582 View Revisions
2018-12-09 03:41 unregi Status new => patch included
2018-12-11 06:40 melanie Note Added: 0033605
2018-12-11 07:19 melanie Note Edited: 0033605 View Revisions
2018-12-11 07:37 unregi Note Added: 0033606
2018-12-11 07:38 unregi Note Edited: 0033606 View Revisions
2018-12-11 10:52 UbitUmarov Note Added: 0033610

Copyright © 2000 - 2012 MantisBT Group
Powered by Mantis Bugtracker