From 095aca3eaea4cbc2237d2b3ad3d63fdad54eb2b7 Mon Sep 17 00:00:00 2001
From: Kyle Ambroff <ambroff@lindenlab.com>
Date: Tue, 7 Oct 2008 20:50:30 +0000
Subject: svn merge -r98039:98711
 svn+ssh://svn.lindenlab.com/svn/linden/branches/Branch_1-24-Server -->
 release

Merging various security fixes from Branch_1-24-Server.

Related to RequestXfer exploit:
* DEV-21706 (SEC-188): llParticleSystem can be used to obtain asset id.
* DEV-21767: Migrate RequestXfer to TCP-only
* DEV-21765: Fix RequestXfer traversal exploit
* DEV-21775: LLXferManager::processFileRequest() still has file vulnerabilities

Various fixes:
* fix for VFS memory corruption in llvfs.
* Bump server version to 1.24.9.

Landstore fixes:
* Passing locale to fulfill-order-item from region reservation fulfillment.
---
 indra/newview/llfloaterregioninfo.cpp | 2 ++
 indra/newview/llviewermessage.cpp     | 5 +++++
 2 files changed, 7 insertions(+)

(limited to 'indra/newview')

diff --git a/indra/newview/llfloaterregioninfo.cpp b/indra/newview/llfloaterregioninfo.cpp
index f6dab5391a..e5193b8314 100644
--- a/indra/newview/llfloaterregioninfo.cpp
+++ b/indra/newview/llfloaterregioninfo.cpp
@@ -1306,6 +1306,7 @@ void LLPanelRegionTerrainInfo::onClickDownloadRaw(void* data)
 		return;
 	}
 	std::string filepath = picker.getFirstFile();
+	gXferManager->expectFileForRequest(filepath);
 
 	LLPanelRegionTerrainInfo* self = (LLPanelRegionTerrainInfo*)data;
 	strings_t strings;
@@ -1325,6 +1326,7 @@ void LLPanelRegionTerrainInfo::onClickUploadRaw(void* data)
 		return;
 	}
 	std::string filepath = picker.getFirstFile();
+	gXferManager->expectFileForTransfer(filepath);
 
 	LLPanelRegionTerrainInfo* self = (LLPanelRegionTerrainInfo*)data;
 	strings_t strings;
diff --git a/indra/newview/llviewermessage.cpp b/indra/newview/llviewermessage.cpp
index b6c524065c..72bc991a24 100644
--- a/indra/newview/llviewermessage.cpp
+++ b/indra/newview/llviewermessage.cpp
@@ -5157,6 +5157,11 @@ void process_initiate_download(LLMessageSystem* msg, void**)
 	msg->getString("FileData", "SimFilename", sim_filename);
 	msg->getString("FileData", "ViewerFilename", viewer_filename);
 
+	if (!gXferManager->validateFileForRequest(viewer_filename))
+	{
+		llwarns << "SECURITY: Unauthorized download to local file " << viewer_filename << llendl;
+		return;
+	}
 	gXferManager->requestFile(viewer_filename,
 		sim_filename,
 		LL_PATH_NONE,
-- 
cgit v1.2.3