From 81b353c53cebc37f9ea7190025b790a09ccdcd51 Mon Sep 17 00:00:00 2001 From: Jak Daniels Date: Sat, 17 Oct 2015 12:56:50 +0100 Subject: [PATCH] Fix security so it correctly checks the OwnerUUID of an object which contains the script issuing a command --- Module/BirdsModule/FlockingModule.cs | 13 ++++++++++++- README.md | 5 ++++- 2 files changed, 16 insertions(+), 2 deletions(-) diff --git a/Module/BirdsModule/FlockingModule.cs b/Module/BirdsModule/FlockingModule.cs index f401c25..df8d0ea 100644 --- a/Module/BirdsModule/FlockingModule.cs +++ b/Module/BirdsModule/FlockingModule.cs @@ -311,8 +311,19 @@ namespace Flocking protected void SimChatSent (Object x, OSChatMessage msg) { if (msg.Channel != m_chatChannel) return; // not for us + if (m_allowedControllers.Count > 0) + { + bool reject = true; + if (msg.SenderObject != null) + { + UUID ooUUID = ((SceneObjectPart)msg.SenderObject).OwnerID; + //m_log.InfoFormat("[{0}]: Message from object {1} with OwnerID: {2}", m_name, msg.SenderUUID, ooUUID); + if (m_allowedControllers.Contains(ooUUID)) reject = false; + } + if (m_allowedControllers.Contains(msg.SenderUUID)) reject = false; - if (m_allowedControllers.Count>0 & !m_allowedControllers.Contains(msg.SenderUUID)) return; // not for us + if (reject) return; //not for us + } // try and parse a valid cmd from this msg string cmd = msg.Message; //.ToLower (); diff --git a/README.md b/README.md index d4baca4..3ed3808 100644 --- a/README.md +++ b/README.md @@ -123,7 +123,10 @@ By default anyone can send commands to the module from within a script or via th You should use a high negative value for channel if you want to allow script access, but not in-world chat. Further you can restrict which users are allowed to control the module using the 'BirdsAllowedControllers' setting. This is a comma separated list of user UUIDs, but it may also contain one of the pre-defined constants ESTATE_OWNER (evaluates to the UUID of the estate owner) and ESTATE_MANAGER -(evaluates to a list of estate manager UUIDS). +(evaluates to a list of estate manager UUIDS). + +* For commands sent from in-world chat, it is the UUID of the avatar sending the command that is checked against the list. +* For commands sent from a script it is the UUID of the owner of the prim in which the script resides that is checked against the list. Bird prims: