From cd64842e338fb216f0772e371278c56b921f6f87 Mon Sep 17 00:00:00 2001 From: Nat Goodspeed Date: Thu, 18 Jul 2024 14:24:36 -0400 Subject: Improve viewer's defense against `LLEventAPI` failures. `LLEventAPI` is specifically intended to allow a LEAP plugin, or a Lua script, to access certain viewer functionality. Errors in external code like that cannot be addressed during viewer development. Any code path that allows external code in any form to crash the viewer opens up a potential abuse vector, if a trusting user runs external code from an untrustworthy source. `LLDispatchListener` reports exceptions back to its invoker, if the invoker provides a "reply" `LLEventPump` name. Absent "reply", though, `LLDispatchListener` is documented to let any such exception propagate. That behavior may be okay for internal use, but in the case of the `LLEventAPI` subclass, it veers into the abuse scenario described above. Make `LLEventAPI` ensure that any exception propagating from `LLDispatchListener` is caught and logged, but not propagated. Also enrich error reporting for the "batch" `LLDispatchListener` operations. --- indra/llcommon/lleventapi.cpp | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) (limited to 'indra/llcommon/lleventapi.cpp') diff --git a/indra/llcommon/lleventapi.cpp b/indra/llcommon/lleventapi.cpp index 8b724256b8..4672371b4f 100644 --- a/indra/llcommon/lleventapi.cpp +++ b/indra/llcommon/lleventapi.cpp @@ -55,6 +55,26 @@ LLEventAPI::~LLEventAPI() { } +bool LLEventAPI::process(const LLSD& event) const +{ + // LLDispatchListener is documented to let DispatchError propagate if the + // incoming request has no "reply" key. That may be fine for internal-only + // use, but LLEventAPI opens the door for external requests. It should NOT + // be possible for any external requester to crash the viewer with an + // unhandled exception, especially not by something as simple as omitting + // the "reply" key. + try + { + return LLDispatchListener::process(event); + } + catch (const std::exception& err) + { + // log the exception, but otherwise ignore it + LL_WARNS("LLEventAPI") << LLError::Log::classname(err) << ": " << err.what() << LL_ENDL; + return false; + } +} + LLEventAPI::Response::Response(const LLSD& seed, const LLSD& request, const LLSD::String& replyKey): mResp(seed), mReq(request), -- cgit v1.2.3