From 1f7d68e555bc927bb72028e149902b6b9aac40b8 Mon Sep 17 00:00:00 2001 From: Melanie Date: Mon, 27 Sep 2010 00:29:27 +0100 Subject: [PATCH 1/3] Restrict inventory items added in a transaction to folder belonging to the connected client. --- OpenSim/Region/Framework/Scenes/Scene.Inventory.cs | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/OpenSim/Region/Framework/Scenes/Scene.Inventory.cs b/OpenSim/Region/Framework/Scenes/Scene.Inventory.cs index d3a14477d1..1bf6b87a43 100644 --- a/OpenSim/Region/Framework/Scenes/Scene.Inventory.cs +++ b/OpenSim/Region/Framework/Scenes/Scene.Inventory.cs @@ -832,6 +832,12 @@ namespace OpenSim.Region.Framework.Scenes if (!Permissions.CanCreateUserInventory(invType, remoteClient.AgentId)) return; + InventoryFolderBase f = new InventoryFolderBase(folderID, remoteClient.AgentId); + InventoryFolderBase folder = InventoryService.GetFolder(f); + + if (folder == null || folder.Owner != remoteClient.AgentId) + return; + if (transactionID == UUID.Zero) { ScenePresence presence; From aaa4cb64a4739c15ce392dcd2f80b1485e96d3b9 Mon Sep 17 00:00:00 2001 From: Melanie Date: Mon, 27 Sep 2010 00:34:30 +0100 Subject: [PATCH 2/3] if you can't edit a prim's inventory, you don't need to see the asset ids. Prevents stealing IDs of animations, sounds and textures from prim inventories. Prevents copybot from gathering the wearable UUIDs needed for pirating things from vendors. --- .../Framework/Scenes/SceneObjectPartInventory.cs | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/OpenSim/Region/Framework/Scenes/SceneObjectPartInventory.cs b/OpenSim/Region/Framework/Scenes/SceneObjectPartInventory.cs index 210f5cd03e..02d3991d15 100644 --- a/OpenSim/Region/Framework/Scenes/SceneObjectPartInventory.cs +++ b/OpenSim/Region/Framework/Scenes/SceneObjectPartInventory.cs @@ -811,8 +811,13 @@ namespace OpenSim.Region.Framework.Scenes // isn't available (such as drag from prim inventory to agent inventory) InventoryStringBuilder invString = new InventoryStringBuilder(m_part.UUID, UUID.Zero); - List items = GetInventoryItems(); - foreach (TaskInventoryItem item in items) + bool includeAssets = false; + if (m_part.ParentGroup.Scene.Permissions.CanEditObjectInventory(m_part.UUID, client.AgentId)) + includeAssets = true; + + m_items.LockItemsForRead(true); + + foreach (TaskInventoryItem item in m_items.Values) { UUID ownerID = item.OwnerID; uint everyoneMask = 0; @@ -840,7 +845,10 @@ namespace OpenSim.Region.Framework.Scenes invString.AddNameValueLine("group_id", item.GroupID.ToString()); invString.AddSectionEnd(); - invString.AddNameValueLine("asset_id", item.AssetID.ToString()); + if (includeAssets) + invString.AddNameValueLine("asset_id", item.AssetID.ToString()); + else + invString.AddNameValueLine("asset_id", UUID.Zero.ToString()); invString.AddNameValueLine("type", TaskInventoryItem.Types[item.Type]); invString.AddNameValueLine("inv_type", TaskInventoryItem.InvTypes[item.InvType]); invString.AddNameValueLine("flags", Utils.UIntToHexString(item.Flags)); From 84ab4742c8041efa02d9bef828c770696333f3dc Mon Sep 17 00:00:00 2001 From: Melanie Date: Mon, 27 Sep 2010 01:31:17 +0100 Subject: [PATCH 3/3] Quash the region ID on intersim messages. That prevents people from determining another avatars location --- .../CoreModules/Avatar/InstantMessage/MessageTransferModule.cs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/OpenSim/Region/CoreModules/Avatar/InstantMessage/MessageTransferModule.cs b/OpenSim/Region/CoreModules/Avatar/InstantMessage/MessageTransferModule.cs index 9b1222b627..918fa04143 100644 --- a/OpenSim/Region/CoreModules/Avatar/InstantMessage/MessageTransferModule.cs +++ b/OpenSim/Region/CoreModules/Avatar/InstantMessage/MessageTransferModule.cs @@ -374,7 +374,7 @@ namespace OpenSim.Region.CoreModules.Avatar.InstantMessage gim.fromAgentName = fromAgentName; gim.fromGroup = fromGroup; gim.imSessionID = imSessionID.Guid; - gim.RegionID = RegionID.Guid; + gim.RegionID = UUID.Zero.Guid; // RegionID.Guid; gim.timestamp = timestamp; gim.toAgentID = toAgentID.Guid; gim.message = message;