From 363ee42d53bd3049df0d17f16e211fac6b73daf7 Mon Sep 17 00:00:00 2001
From: Lynx Linden <lynx@lindenlab.com>
Date: Wed, 9 Dec 2009 18:44:01 +0000
Subject: EXT-3234: Display notification when SLurl blocked/throttled.

We block or throttled certain SLurls when they came from an untrusted
browser. Previously this would happen silently (though a message was
sent to the logfile). Now we show a once-per-session notification if
either of these situations arise.
---
 indra/newview/llcommandhandler.cpp                   | 13 +++++++++++++
 indra/newview/skins/default/xui/en/notifications.xml | 17 +++++++++++++++++
 2 files changed, 30 insertions(+)

(limited to 'indra')

diff --git a/indra/newview/llcommandhandler.cpp b/indra/newview/llcommandhandler.cpp
index af6488388a..1d92661ea2 100644
--- a/indra/newview/llcommandhandler.cpp
+++ b/indra/newview/llcommandhandler.cpp
@@ -34,6 +34,7 @@
 #include "llviewerprecompiledheaders.h"
 
 #include "llcommandhandler.h"
+#include "llnotificationsutil.h"
 
 // system includes
 #include <boost/tokenizer.hpp>
@@ -93,6 +94,8 @@ bool LLCommandHandlerRegistry::dispatch(const std::string& cmd,
 										LLMediaCtrl* web,
 										bool trusted_browser)
 {
+	static bool slurl_blocked = false;
+	static bool slurl_throttled = false;
 	static F64 last_throttle_time = 0.0;
 	F64 cur_time = 0.0;
 	std::map<std::string, LLCommandHandlerInfo>::iterator it = mMap.find(cmd);
@@ -110,6 +113,11 @@ bool LLCommandHandlerRegistry::dispatch(const std::string& cmd,
 			// block request from external browser, but report as
 			// "handled" because it was well formatted.
 			LL_WARNS_ONCE("SLURL") << "Blocked SLURL command from untrusted browser" << LL_ENDL;
+			if (! slurl_blocked)
+			{
+				LLNotificationsUtil::add("BlockedSLURL");
+				slurl_blocked = true;
+			}
 			return true;
 
 		case LLCommandHandler::UNTRUSTED_THROTTLE:
@@ -119,6 +127,11 @@ bool LLCommandHandlerRegistry::dispatch(const std::string& cmd,
 				// block request from external browser if it happened
 				// within THROTTLE_PERIOD secs of the last command
 				LL_WARNS_ONCE("SLURL") << "Throttled SLURL command from untrusted browser" << LL_ENDL;
+				if (! slurl_throttled)
+				{
+					LLNotificationsUtil::add("ThrottledSLURL");
+					slurl_throttled = true;
+				}
 				return true;
 			}
 			last_throttle_time = cur_time;
diff --git a/indra/newview/skins/default/xui/en/notifications.xml b/indra/newview/skins/default/xui/en/notifications.xml
index f659062cfe..69d7a1dd33 100644
--- a/indra/newview/skins/default/xui/en/notifications.xml
+++ b/indra/newview/skins/default/xui/en/notifications.xml
@@ -5754,6 +5754,23 @@ You just entered a region using a different server version, which may affect per
 The SLurl you clicked on is not supported.
   </notification>
 
+  <notification
+   icon="notifytip.tga"
+   name="BlockedSLURL"
+   priority="high"
+   type="notifytip">
+A SLurl was received from an untrusted browser and has been blocked for your security.
+  </notification>
+
+  <notification
+   icon="notifytip.tga"
+   name="ThrottledSLURL"
+   priority="high"
+   type="notifytip">
+Multiple SLurls were received from an untrusted browser within a short period.
+They will be blocked for a few seconds for your security. 
+  </notification>
+
   <notification name="IMToast" type="notifytoast">
 [MESSAGE]
     <form name="form">
-- 
cgit v1.2.3