Fix a security relevant issue with take / take copy

2010-10-09 01:02:57 +02:00 · 2010-10-09 01:02:57 +02:00 · ff49a21eca
parent 52dd547863
commit ff49a21eca
1 changed files with 71 additions and 57 deletions
--- a/OpenSim/Region/Framework/Scenes/Scene.Inventory.cs
+++ b/OpenSim/Region/Framework/Scenes/Scene.Inventory.cs
@ -1695,6 +1695,7 @@ namespace OpenSim.Region.Framework.Scenes
            // build a list of eligible objects
            List<uint> deleteIDs = new List<uint>();
            List<SceneObjectGroup> deleteGroups = new List<SceneObjectGroup>();
+            List<SceneObjectGroup> takeGroups = new List<SceneObjectGroup>();

            // Start with true for both, then remove the flags if objects
            // that we can't derez are part of the selection
@ -1727,9 +1728,6 @@ namespace OpenSim.Region.Framework.Scenes

                SceneObjectGroup grp = part.ParentGroup;

-                deleteGroups.Add(grp);
-                deleteIDs.Add(grp.LocalId);
-
                if (remoteClient == null)
                {
                    // Autoreturn has a null client. Nothing else does. So
@ -1756,7 +1754,6 @@ namespace OpenSim.Region.Framework.Scenes
                    if (!Permissions.CanDeleteObject(grp.UUID, remoteClient.AgentId))
                        permissionToDelete = false;
                }
-            }

                // Handle god perms
                if ((remoteClient != null) && Permissions.IsGod(remoteClient.AgentId))
@ -1798,10 +1795,7 @@ namespace OpenSim.Region.Framework.Scenes
                            permissionToTake = true;
                            permissionToDelete = true;

-                        foreach (SceneObjectGroup g in deleteGroups)
-                        {
-                            AddReturn(g.OwnerID, g.Name, g.AbsolutePosition, "parcel owner return");
-                        }
+                            AddReturn(grp.OwnerID, grp.Name, grp.AbsolutePosition, "parcel owner return");
                        }
                    }
                    else // Auto return passes through here with null agent
@ -1809,20 +1803,40 @@ namespace OpenSim.Region.Framework.Scenes
                        permissionToTake = true;
                        permissionToDelete = true;
                    }
+
+                    if (permissionToTake && (!permissionToDelete))
+                        takeGroups.Add(grp);
+
+                    if (permissionToDelete)
+                    {
+                        if (permissionToTake)
+                            deleteGroups.Add(grp);
+                        deleteIDs.Add(grp.LocalId);
+                    }
+                }
            }

            SendKillObject(deleteIDs);

-            if (permissionToTake)
-            {
-                m_asyncSceneObjectDeleter.DeleteToInventory(
-                        action, destinationID, deleteGroups, remoteClient,
-                        permissionToDelete);
-            }
-            else if (permissionToDelete)
+            if (deleteGroups.Count > 0)
            {
                foreach (SceneObjectGroup g in deleteGroups)
-                    DeleteSceneObject(g, false);
+                    deleteIDs.Remove(g.LocalId);
+
+                m_asyncSceneObjectDeleter.DeleteToInventory(
+                        action, destinationID, deleteGroups, remoteClient,
+                        true);
+            }
+            if (takeGroups.Count > 0)
+            {
+                m_asyncSceneObjectDeleter.DeleteToInventory(
+                        action, destinationID, takeGroups, remoteClient,
+                        false);
+            }
+            if (deleteIDs.Count > 0)
+            {
+                foreach (SceneObjectGroup g in deleteGroups)
+                    DeleteSceneObject(g, true);
            }
        }