/** * @file llcommandhandler.cpp * @brief Central registry for text-driven "commands", most of * which manipulate user interface. For example, the command * "agent (uuid) about" will open the UI for an avatar's profile. * * $LicenseInfo:firstyear=2007&license=viewerlgpl$ * Second Life Viewer Source Code * Copyright (C) 2010, Linden Research, Inc. * * This library is free software; you can redistribute it and/or * modify it under the terms of the GNU Lesser General Public * License as published by the Free Software Foundation; * version 2.1 of the License only. * * This library is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * Lesser General Public License for more details. * * You should have received a copy of the GNU Lesser General Public * License along with this library; if not, write to the Free Software * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA * * Linden Research, Inc., 945 Battery Street, San Francisco, CA 94111 USA * $/LicenseInfo$ */ #include "llviewerprecompiledheaders.h" #include "llcommandhandler.h" #include "llnotificationsutil.h" #include "llcommanddispatcherlistener.h" #include "llstartup.h" #include "stringize.h" // system includes #include <boost/tokenizer.hpp> #define THROTTLE_PERIOD 5 // required seconds between throttled commands static LLCommandDispatcherListener sCommandDispatcherListener; const std::string LLCommandHandler::NAV_TYPE_CLICKED = "clicked"; const std::string LLCommandHandler::NAV_TYPE_EXTERNAL = "external"; const std::string LLCommandHandler::NAV_TYPE_NAVIGATED = "navigated"; //--------------------------------------------------------------------------- // Underlying registry for command handlers, not directly accessible. //--------------------------------------------------------------------------- struct LLCommandHandlerInfo { LLCommandHandler::EUntrustedAccess mUntrustedBrowserAccess; LLCommandHandler* mHandler; // safe, all of these are static objects }; class LLCommandHandlerRegistry { public: static LLCommandHandlerRegistry& instance(); void add(const char* cmd, LLCommandHandler::EUntrustedAccess untrusted_access, LLCommandHandler* handler); bool dispatch(const std::string& cmd, const LLSD& params, const LLSD& query_map, const std::string& grid, LLMediaCtrl* web, const std::string& nav_type, bool trusted_browser); private: void notifySlurlBlocked(); void notifySlurlThrottled(); friend LLSD LLCommandDispatcher::enumerate(); std::map<std::string, LLCommandHandlerInfo> mMap; }; // static LLCommandHandlerRegistry& LLCommandHandlerRegistry::instance() { // Force this to be initialized on first call, because we're going // to be adding items to the std::map before main() and we can't // rely on a global being initialized in the right order. static LLCommandHandlerRegistry instance; return instance; } void LLCommandHandlerRegistry::add(const char* cmd, LLCommandHandler::EUntrustedAccess untrusted_access, LLCommandHandler* handler) { LLCommandHandlerInfo info; info.mUntrustedBrowserAccess = untrusted_access; info.mHandler = handler; mMap[cmd] = info; } bool LLCommandHandlerRegistry::dispatch(const std::string& cmd, const LLSD& params, const LLSD& query_map, const std::string& grid, LLMediaCtrl* web, const std::string& nav_type, bool trusted_browser) { static F64 last_throttle_time = 0.0; F64 cur_time = 0.0; std::map<std::string, LLCommandHandlerInfo>::iterator it = mMap.find(cmd); if (it == mMap.end()) return false; const LLCommandHandlerInfo& info = it->second; if (!trusted_browser) { switch (info.mUntrustedBrowserAccess) { case LLCommandHandler::UNTRUSTED_ALLOW: // fall through and let the command be handled break; case LLCommandHandler::UNTRUSTED_BLOCK: // block request from external browser, but report as // "handled" because it was well formatted. LL_WARNS_ONCE("SLURL") << "Blocked SLURL command from untrusted browser" << LL_ENDL; notifySlurlBlocked(); return true; case LLCommandHandler::UNTRUSTED_CLICK_ONLY: if (nav_type == LLCommandHandler::NAV_TYPE_CLICKED && info.mHandler->canHandleUntrusted(params, query_map, web, nav_type)) { break; } LL_WARNS_ONCE("SLURL") << "Blocked SLURL click-only command " << cmd << " from untrusted browser" << LL_ENDL; notifySlurlBlocked(); return true; case LLCommandHandler::UNTRUSTED_THROTTLE: //skip initial request from external browser before STATE_BROWSER_INIT if (LLStartUp::getStartupState() == STATE_FIRST) { return true; } if (!info.mHandler->canHandleUntrusted(params, query_map, web, nav_type)) { LL_WARNS_ONCE("SLURL") << "Blocked SLURL command from untrusted browser" << LL_ENDL; notifySlurlBlocked(); return true; } // if users actually click on a link, we don't need to throttle it // (throttling mechanism is used to prevent an avalanche of clicks via // javascript if (nav_type == LLCommandHandler::NAV_TYPE_CLICKED) { break; } cur_time = LLTimer::getElapsedSeconds(); if (cur_time < last_throttle_time + THROTTLE_PERIOD) { // block request from external browser if it happened // within THROTTLE_PERIOD seconds of the last command LL_WARNS_ONCE("SLURL") << "Throttled SLURL command from untrusted browser" << LL_ENDL; notifySlurlThrottled(); return true; } last_throttle_time = cur_time; break; } } if (!info.mHandler) return false; return info.mHandler->handle(params, query_map, grid, web); } void LLCommandHandlerRegistry::notifySlurlBlocked() { static bool slurl_blocked = false; if (!slurl_blocked) { if (LLStartUp::getStartupState() >= STATE_BROWSER_INIT) { // Note: commands can arrive before we initialize everything we need for Notification. LLNotificationsUtil::add("BlockedSLURL"); } slurl_blocked = true; } } void LLCommandHandlerRegistry::notifySlurlThrottled() { static bool slurl_throttled = false; if (!slurl_throttled) { if (LLStartUp::getStartupState() >= STATE_BROWSER_INIT) { // Note: commands can arrive before we initialize everything we need for Notification. LLNotificationsUtil::add("ThrottledSLURL"); } slurl_throttled = true; } } //--------------------------------------------------------------------------- // Automatic registration of commands, runs before main() //--------------------------------------------------------------------------- LLCommandHandler::LLCommandHandler(const char* cmd, EUntrustedAccess untrusted_access) { LLCommandHandlerRegistry::instance().add(cmd, untrusted_access, this); } LLCommandHandler::~LLCommandHandler() { // Don't care about unregistering these, all the handlers // should be static objects. } //--------------------------------------------------------------------------- // Public interface //--------------------------------------------------------------------------- // static bool LLCommandDispatcher::dispatch(const std::string& cmd, const LLSD& params, const LLSD& query_map, const std::string& grid, LLMediaCtrl* web, const std::string& nav_type, bool trusted_browser) { return LLCommandHandlerRegistry::instance().dispatch( cmd, params, query_map, grid, web, nav_type, trusted_browser); } static std::string lookup(LLCommandHandler::EUntrustedAccess value); LLSD LLCommandDispatcher::enumerate() { LLSD response; LLCommandHandlerRegistry& registry(LLCommandHandlerRegistry::instance()); for (std::map<std::string, LLCommandHandlerInfo>::const_iterator chi(registry.mMap.begin()), chend(registry.mMap.end()); chi != chend; ++chi) { LLSD info; info["untrusted"] = chi->second.mUntrustedBrowserAccess; info["untrusted_str"] = lookup(chi->second.mUntrustedBrowserAccess); response[chi->first] = info; } return response; } /*------------------------------ lookup stuff ------------------------------*/ struct symbol_info { const char* name; LLCommandHandler::EUntrustedAccess value; }; #define ent(SYMBOL) \ { \ &#SYMBOL[28], /* skip "LLCommandHandler::UNTRUSTED_" prefix */ \ SYMBOL \ } symbol_info symbols[] = { ent(LLCommandHandler::UNTRUSTED_ALLOW), // allow commands from untrusted browsers ent(LLCommandHandler::UNTRUSTED_BLOCK), // ignore commands from untrusted browsers ent(LLCommandHandler::UNTRUSTED_CLICK_ONLY), // allow untrusted, but only if clicked ent(LLCommandHandler::UNTRUSTED_THROTTLE) // allow untrusted, but only a few per min. }; #undef ent static std::string lookup(LLCommandHandler::EUntrustedAccess value) { for (symbol_info *sii(symbols), *siend(symbols + (sizeof(symbols)/sizeof(symbols[0]))); sii != siend; ++sii) { if (sii->value == value) { return sii->name; } } return STRINGIZE("UNTRUSTED_" << value); }