0008856: Userprofiles does not sanitize classified input

View Issue Details [ Jump to Notes ]

[ Issue History ] [ Print ]

Project

Category

View Status

Date Submitted

Last Update

0008856

opensim

[GRID] Grid Service

public

2021-01-28 11:52

2021-02-01 05:05

Reporter

tampa

Assigned To

Priority

high

Severity

minor

Reproducibility

always

Status

patch included

Resolution

open

Platform

Operating System

Operating System Version

Product Version

Target Version

Fixed in Version

Summary

0008856: Userprofiles does not sanitize classified input

Description

The userprofileservice does not check validity of data it is sent, specifically for classifieds no defaults are assumed. Unfortunately some viewers do not send proper data when classifieds are set up.

This means the search system based around the valid data in the database fail to find classifieds with improper classifiedflags.

What is needed is a check in the userprofileservice to make sure the data passed to classifieds contains proper classifiedflags or default to int 2, which represents "General Content" no auto renew. Currently without a default set the database gets null seen as int 0, resulting in essentially faulty data.

For the unofficial ossearch to work these flags need to be proper else anything in General Content cannot be found.

Steps To Reproduce

Enable debug http all 6 on simulator console.

Create a classified set to "General Content" without the automatic renewal enabled.

Observe data being sent to userprofile service not containing Flag parameter for classifiedflags.

Check database classifieds table to see classifiedflags set to 0 instead of 2.

Additional Information

Apparently there are two parts to these flags.

A bit to set auto renew, represented as int 32

A bit to set maturity level, represented as 2,8 and 64

Apparently this is normally checked at the binary level, each bit, well you can work that out I lack sleep for binary conversion.

Currently cannot test other viewers, only checked Firestorm, but seeing as this is rather down basic avenue I suspect all viewers have this issue. While that means it is somewhat of a viewer bug, we should still always assume sane defaults if data is missing.

Tags

No tags attached.

Git Revision or version number

Run Mode

Grid (1 Region per Sim) , Grid (Multiple Regions per Sim)

Physics Engine

BulletSim

Script Engine

XEngine

Environment

Mono / Linux64

Mono Version

6.x

Viewer

Firestorm

Attached Files

0052-Sanitize-classifiedflags-input.patch [^] (2,502 bytes) 2021-02-01 05:05 [Show Content] [Hide Content]

From 10e77599ee093e92a101f83c47bd6d6af9af5600 Mon Sep 17 00:00:00 2001
From: Vincent Sylvester <vincentsylvester@zetamex.com>
Date: Mon, 1 Feb 2021 12:59:19 +0100
Subject: [PATCH] Sanitize classifiedflags input

---
 .../Handlers/Profiles/UserProfilesHandlers.cs | 36 +++++++++++++++----
 1 file changed, 30 insertions(+), 6 deletions(-)

diff --git a/OpenSim/Server/Handlers/Profiles/UserProfilesHandlers.cs b/OpenSim/Server/Handlers/Profiles/UserProfilesHandlers.cs
index a68e04fe84..f16df4870d 100644
--- a/OpenSim/Server/Handlers/Profiles/UserProfilesHandlers.cs
+++ b/OpenSim/Server/Handlers/Profiles/UserProfilesHandlers.cs
@@ -111,11 +111,23 @@ namespace OpenSim.Server.Handlers
             // based on maturity level. 0x4e is bits 1 (old viewers mature), 2 (pg), 3 (Mature) and 6 (Adult).
             if ((ad.Flags & 0x4e) == 0)
                 ad.Flags |= 0x04;
-
-            if (Service.ClassifiedUpdate(ad, ref result))
+            
+            switch (ad.Flags)
             {
-                response.Result = OSD.SerializeMembers(ad);
-                return true;
+                case 4:
+                case 8:
+                case 36:
+                case 40:
+                case 64:
+                case 96:
+                    if (Service.ClassifiedUpdate(ad, ref result))
+                    {
+                        response.Result = OSD.SerializeMembers(ad);
+                        return true;
+                    }
+                    break;
+                default:
+                    break;
             }
 
             response.Error.Code = ErrorCode.InternalError;
@@ -165,8 +177,20 @@ namespace OpenSim.Server.Handlers
                 // based on maturity level. 0x4e is bits 1 (old viewers mature), 2 (pg), 3 (Mature) and 6 (Adult).
                 if ((ad.Flags & 0x4e) == 0)
                     ad.Flags |= 0x04;
-                response.Result = OSD.SerializeMembers(ad);
-                return true;
+                
+                switch (ad.Flags)
+                {
+                    case 4:
+                    case 8:
+                    case 36:
+                    case 40:
+                    case 64:
+                    case 96:
+                        response.Result = OSD.SerializeMembers(ad);
+                        return true;
+                    default:
+                        break;
+                }
             }
 
             response.Error.Code = ErrorCode.InternalError;
-- 
2.29.2.windows.3

Relationships

Notes
(0037528) tampa (reporter) 2021-01-31 03:47	So now on master it sets the correct flags, but nothing checks whether what's entered is within the possible values, it still just parses. While it does add overhead, making sure data entry is sane is important unless you want to risk bad data getting in there.

Issue History
Date Modified	Username	Field	Change
2021-01-28 11:52	tampa	New Issue
2021-01-29 14:24	tampa	File Added: 0052-Make-sure-Classifiedflags-are-proper.patch
2021-01-29 14:32	tampa	Note Added: 0037520
2021-01-29 14:32	tampa	Status	new => patch included
2021-01-29 18:17	tampa	File Deleted: 0052-Make-sure-Classifiedflags-are-proper.patch
2021-01-29 18:17	tampa	Note Deleted: 0037520
2021-01-31 03:47	tampa	Note Added: 0037528
2021-02-01 05:04	tampa	File Added: 0052-Sanitize-classifiedflags-input.patch
2021-02-01 05:05	tampa	File Deleted: 0052-Sanitize-classifiedflags-input.patch
2021-02-01 05:05	tampa	File Added: 0052-Sanitize-classifiedflags-input.patch