svn merge -r126867:127217 svn+ssh://svn.lindenlab.com/svn/user/cg/qar-1691

Effective merge: svn merge -r125827:127126 svn+ssh://svn.lindenlab.com/svn/linden/branches/server/server-1.27
QAR-1691

2 files changed, 31 insertions, 19 deletions

diff --git a/indra/llmessage/lliohttpserver.cpp b/indra/llmessage/lliohttpserver.cpp
index 83dfa94f00..ce815cc85b 100644
--- a/indra/llmessage/lliohttpserver.cpp
+++ b/indra/llmessage/lliohttpserver.cpp
@@ -520,7 +520,7 @@ protected:
 	 * seek orfor string assignment.
 	 * @returns Returns true if a line was found.
 	 */
-	bool readLine(
+	bool readHeaderLine(
 		const LLChannelDescriptors& channels,
 		buffer_ptr_t buffer,
 		U8* dest,
@@ -591,7 +591,7 @@ LLHTTPResponder::~LLHTTPResponder()
 	//lldebugs << "destroying LLHTTPResponder" << llendl;
 }
 
-bool LLHTTPResponder::readLine(
+bool LLHTTPResponder::readHeaderLine(
 	const LLChannelDescriptors& channels,
 	buffer_ptr_t buffer,
 	U8* dest,
@@ -669,7 +669,7 @@ LLIOPipe::EStatus LLHTTPResponder::process_impl(
 #endif
 		
 		PUMP_DEBUG;
-		if(readLine(channels, buffer, (U8*)buf, len))
+		if(readHeaderLine(channels, buffer, (U8*)buf, len))
 		{
 			bool read_next_line = false;
 			bool parse_all = true;
@@ -733,7 +733,13 @@ LLIOPipe::EStatus LLHTTPResponder::process_impl(
 					if(read_next_line)
 					{
 						len = HEADER_BUFFER_SIZE;	
-						readLine(channels, buffer, (U8*)buf, len);
+						if (!readHeaderLine(channels, buffer, (U8*)buf, len))
+						{
+							// Failed to read the header line, probably too long.
+							// readHeaderLine already marked the channel/buffer as bad.
+							keep_parsing = false;
+							break;
+						}
 					}
 					if(0 == len)
 					{
diff --git a/indra/llmessage/llxfermanager.cpp b/indra/llmessage/llxfermanager.cpp
index 08c9192c9f..209bdb2249 100644
--- a/indra/llmessage/llxfermanager.cpp
+++ b/indra/llmessage/llxfermanager.cpp
@@ -760,30 +760,36 @@ static bool remove_prefix(std::string& filename, const std::string& prefix)
 static bool verify_cache_filename(const std::string& filename)
 {
 	//NOTE: This routine is only used to check file names that our own
-	// code places in the cache directory.  As such, it can be limited
-	// to this very restrictive file name pattern.  It does not need to
-	// handle other characters.
-
+	// code places in the cache directory.	As such, it can be limited
+	// to this very restrictive file name pattern.	It does not need to
+	// handle other characters. The only known uses of this are (with examples):
+	//	sim to sim object pass:			fc0b72d8-9456-63d9-a802-a557ef847313.tmp
+	//	sim to viewer mute list:		mute_b78eacd0-1244-448e-93ca-28ede242f647.tmp
+	//	sim to viewer task inventory:	inventory_d8ab59d2-baf0-0e79-c4c2-a3f99b9fcf45.tmp
+	
+	//IMPORTANT: Do not broaden the filenames accepted by this routine
+	// without careful analysis. Anything allowed by this function can
+	// be downloaded by the viewer.
+	
 	size_t len = filename.size();
-	//const boost::regex expr("[a-zA-Z0-9][-_.a-zA-Z0-9]<0,49>");
-	if (len < 1 || len > 50)
-	{
+	//const boost::regex expr("[0-9a-zA-Z_-]<1,46>\.tmp");
+	if (len < 5 || len > 50)
+	{	
 		return false;
 	}
-	for(unsigned i=0; i<len; ++i)
-	{
+	for(size_t i=0; i<(len-4); ++i)
+	{	
 		char c = filename[i];
-		bool ok = isalnum(c);
-		if (!ok && i > 0)
-		{
-			ok = '_'==c || '-'==c || '.'==c;
-		}
+		bool ok = isalnum(c) || '_'==c || '-'==c;
 		if (!ok)
 		{
 			return false;
 		}
 	}
-	return true;
+	return filename[len-4] == '.'
+		&& filename[len-3] == 't'
+		&& filename[len-2] == 'm'
+		&& filename[len-1] == 'p';
 }
 
 void LLXferManager::processFileRequest (LLMessageSystem *mesgsys, void ** /*user_data*/)