Mantis Bug Tracker

View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0008881opensim[REGION] Script Functionspublic2021-03-15 03:292021-03-16 14:41
Reporterthoys 
Assigned To 
PrioritynormalSeveritymajorReproducibilityalways
StatusnewResolutionopen 
PlatformOperating SystemOperating System Version
Product Version 
Target VersionFixed in Version 
Summary0008881: llHttpRequest custom header for Authorization gives script error
DescriptionI am making a request to an API using LSL, this requires me to use the Authorization header to supply the API token. The script does give me a valid response, and it does use the Authorization header, but It also gives me the following scripting error which seems related to this custom header

"llHTTPRequest: Name is invalid as a custom header at parameter 5"

We have also tried to run this function in SL, it does work over there without an error.
Steps To ReproduceI cannot give you the API for security reasons but, make a simple request and use the custom header:

1. Make a LSL script and do the following script call in there:

llHTTPRequest("http://opensimulator.org", [^] [
        HTTP_METHOD, "GET",
        HTTP_CUSTOM_HEADER, "Authorization", "Token TOKEN_REDACTED"
        ], "");

2. You should be getting the following script error now: "llHTTPRequest: Name is invalid as a custom header at parameter 5"
TagsNo tags attached.
Git Revision or version number
Run Mode Grid (1 Region per Sim)
Physics EngineBulletSim
Script EngineXEngine
EnvironmentMono / Linux64
Mono Version6.x
ViewerFirestorm
Attached Files

- Relationships

-  Notes
(0037663)
JeffKelley (reporter)
2021-03-15 04:49

Per http://wiki.secondlife.com/wiki/LlHTTPRequest [^] :

HTTP_CUSTOM_HEADER : Note that certain headers, such as the default headers, are blocked for security reasons.

'Authorization' belongs to HttpStandardHeaders set.
(Region/ScriptEngine/Shared/Api/Implementation/LSL_Api.cs, line 286)

If that works in SL, it means that SL and OS do not agree on "standard headers".
(0037664)
thoys (reporter)
2021-03-15 05:03

Note, it does still come through and send the data. So technically it is sending the headers correctly with SL and OS, but opensim gives this additional error which makes it impractical to use the llHttpRequest for basic API's that are authenticated with in this fairly common way.
(0037665)
JeffKelley (reporter)
2021-03-15 06:12
edited on: 2021-03-15 06:12

Yes, custom headers are added unconditonnaly.
The "is standard header?" test is just used to raise an error.

(0037666)
thoys (reporter)
2021-03-15 06:52

What is the exact security concern for the usage of this header? For me it is a pretty useful header to set.

Even on websites with JavaScript a request could be made using this header e.g.:

<code>
var req = new XMLHttpRequest();
req.open("GET", "http://opensimulator.org/", [^] true);
req.setRequestHeader('Authorization','Token TOKEN_REDACTED');
req.send();
</code>
(0037667)
thoys (reporter)
2021-03-15 08:01

I've read more into this and I think this list is better to follow for forbidden header names: https://developer.mozilla.org/en-US/docs/Glossary/Forbidden_header_name [^]

The LSL wiki is not really a source of absolute truth. We've reproduced this same script in SL, and they allow the header fortunately.

More information about the Authorization header usage:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Authorization [^]
(0037669)
piusnoel (reporter)
2021-03-15 09:53
edited on: 2021-03-15 09:54

I once made a test to find out which keywords are allowed in SL compared to Opensim. I found out that only a few are not allowed and some can be set, but will be overwritten without further notice.

Those days I used my own authorization method and used something like X-MyApp-Authorization in the header.

Unfortunately I cannot find the Excel Sheet with my data any more, but I still have the server and the scripts I used to test. There is some manual work to do, but you can expect that I re-create the list to compare within the next two days for further discussions.

(0037670)
JeffKelley (reporter)
2021-03-15 11:06
edited on: 2021-03-15 12:02

> I once made a test to find out which keywords are allowed in SL compared to Opensim

Here is the list of "standard headers" used in Opensim. The headers in HTTP_CUSTOM_HEADER are searched in this list. If found, an error is issued but the header is added nevertheless.

private static readonly HashSet<string> HttpStandardHeaders = new HashSet<string>(StringComparer.InvariantCultureIgnoreCase)
 {
    "Accept", "Accept-Charset", "Accept-Encoding", "Accept-Language",
    "Accept-Ranges", "Age", "Allow", "Authorization", "Cache-Control",
    "Connection", "Content-Encoding", "Content-Language",
    "Content-Length", "Content-Location", "Content-MD5",
    "Content-Range", "Content-Type", "Date", "ETag", "Expect",
    "Expires", "From", "Host", "If-Match", "If-Modified-Since",
    "If-None-Match", "If-Range", "If-Unmodified-Since", "Last-Modified",
    "Location", "Max-Forwards", "Pragma", "Proxy-Authenticate",
    "Proxy-Authorization", "Range", "Referer", "Retry-After", "Server",
    "TE", "Trailer", "Transfer-Encoding", "Upgrade", "User-Agent",
    "Vary", "Via", "Warning", "WWW-Authenticate"
 };


It would be trivial to either 1/ Dismiss the error message or 2/ Drop the headers in this list. But the issue needs more thinking about what can and what can't be overriden, and security implications.

Note : "Custom" headers are X-Things, usually.

(0037671)
piusnoel (reporter)
2021-03-16 14:39

Testing the list of Opensim HTTP Standard Headers in Secondlife results in four different behaviours.
1) A script error like in Opensim error is produced. The request is aborted.
2) The header is accepted and the value is passed as is. The request is not aborted.
3) The header is accepted, but its value is cleared out. The request is not aborted.
4) The header is accepted, but its value is overwritten. The request is not aborted.

OS HTTP Std Headers Behaviour in SL
-----------------------------------------------------
Accept Script error
Accept-Charset * Script error
Accept-Encoding * value passed
Accept-Language value passed
Accept-Ranges value passed
Age value passed
Allow value passed
Authorization value passed
Cache-Control value cleared
Connection * overwritten (e.g. keep-alive)
Content-Encoding value passed
Content-Language value passed
Content-Length * value cleared
Content-Location value passed
Content-MD5 value passed
Content-Range value passed
Content-Type Script error
Date * value cleared
ETag value passed
Expect * value cleared
Expires value passed
From Script error
Host * Script error
If-Match value cleared
If-Modified-Since value cleared
If-None-Match value cleared
If-Range value passed
If-Unmodified-Since value cleared
Last-Modified value passed
Location value passed
Max-Forwards value cleared
Pragma value passed
Proxy-Authenticate * value cleared
Proxy-Authorization * value cleared
Range value passed
Referer * Script error
Retry-After value passed
Server value passed
TE * Script error
Trailer * Script error
Transfer-Encoding * value cleared
Upgrade * Script error
User-Agent Script error
Vary value cleared
Via * Script error
Warning value cleared
WWW-Authenticate value passed
        
An * means it’s in the list of forbidden header names on the MDN web site (mentioned by @thoys). According to a note, User-Agent is no longer forbidden by spec. But I think we should leave it as is.
(0037672)
UbitUmarov (administrator)
2021-03-16 14:41

thanks
will look into this...

- Issue History
Date Modified Username Field Change
2021-03-15 03:29 thoys New Issue
2021-03-15 04:49 JeffKelley Note Added: 0037663
2021-03-15 05:03 thoys Note Added: 0037664
2021-03-15 06:12 JeffKelley Note Added: 0037665
2021-03-15 06:12 JeffKelley Note Edited: 0037665 View Revisions
2021-03-15 06:52 thoys Note Added: 0037666
2021-03-15 08:01 thoys Note Added: 0037667
2021-03-15 09:53 piusnoel Note Added: 0037669
2021-03-15 09:54 piusnoel Note Edited: 0037669 View Revisions
2021-03-15 11:06 JeffKelley Note Added: 0037670
2021-03-15 11:07 JeffKelley Note Edited: 0037670 View Revisions
2021-03-15 11:10 JeffKelley Note Edited: 0037670 View Revisions
2021-03-15 12:02 JeffKelley Note Edited: 0037670 View Revisions
2021-03-16 14:39 piusnoel Note Added: 0037671
2021-03-16 14:41 UbitUmarov Note Added: 0037672


Copyright © 2000 - 2012 MantisBT Group
Powered by Mantis Bugtracker