Fix security so it correctly checks the OwnerUUID of an object which contains the script issuing a command

pull/1/merge
Jak Daniels 2015-10-17 12:56:50 +01:00
parent 1bdb12c558
commit 81b353c53c
2 changed files with 16 additions and 2 deletions

View File

@ -311,8 +311,19 @@ namespace Flocking
protected void SimChatSent (Object x, OSChatMessage msg)
{
if (msg.Channel != m_chatChannel) return; // not for us
if (m_allowedControllers.Count > 0)
{
bool reject = true;
if (msg.SenderObject != null)
{
UUID ooUUID = ((SceneObjectPart)msg.SenderObject).OwnerID;
//m_log.InfoFormat("[{0}]: Message from object {1} with OwnerID: {2}", m_name, msg.SenderUUID, ooUUID);
if (m_allowedControllers.Contains(ooUUID)) reject = false;
}
if (m_allowedControllers.Contains(msg.SenderUUID)) reject = false;
if (m_allowedControllers.Count>0 & !m_allowedControllers.Contains(msg.SenderUUID)) return; // not for us
if (reject) return; //not for us
}
// try and parse a valid cmd from this msg
string cmd = msg.Message; //.ToLower ();

View File

@ -123,7 +123,10 @@ By default anyone can send commands to the module from within a script or via th
You should use a high negative value for channel if you want to allow script access, but not in-world chat. Further you can restrict
which users are allowed to control the module using the 'BirdsAllowedControllers' setting. This is a comma separated list of user UUIDs,
but it may also contain one of the pre-defined constants ESTATE_OWNER (evaluates to the UUID of the estate owner) and ESTATE_MANAGER
(evaluates to a list of estate manager UUIDS).
(evaluates to a list of estate manager UUIDS).
* For commands sent from in-world chat, it is the UUID of the avatar sending the command that is checked against the list.
* For commands sent from a script it is the UUID of the owner of the prim in which the script resides that is checked against the list.
Bird prims: