1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
|
/**
* @file llcommandhandler.cpp
* @brief Central registry for text-driven "commands", most of
* which manipulate user interface. For example, the command
* "agent (uuid) about" will open the UI for an avatar's profile.
*
* $LicenseInfo:firstyear=2007&license=viewerlgpl$
* Second Life Viewer Source Code
* Copyright (C) 2010, Linden Research, Inc.
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation;
* version 2.1 of the License only.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this library; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
*
* Linden Research, Inc., 945 Battery Street, San Francisco, CA 94111 USA
* $/LicenseInfo$
*/
#include "llviewerprecompiledheaders.h"
#include "llcommandhandler.h"
#include "llnotificationsutil.h"
#include "llcommanddispatcherlistener.h"
#include "llstartup.h"
#include "stringize.h"
// system includes
#include <boost/tokenizer.hpp>
#define THROTTLE_PERIOD 5 // required seconds between throttled commands
static LLCommandDispatcherListener sCommandDispatcherListener;
const std::string LLCommandHandler::NAV_TYPE_CLICKED = "clicked";
const std::string LLCommandHandler::NAV_TYPE_EXTERNAL = "external";
const std::string LLCommandHandler::NAV_TYPE_NAVIGATED = "navigated";
//---------------------------------------------------------------------------
// Underlying registry for command handlers, not directly accessible.
//---------------------------------------------------------------------------
struct LLCommandHandlerInfo
{
LLCommandHandler::EUntrustedAccess mUntrustedBrowserAccess;
LLCommandHandler* mHandler; // safe, all of these are static objects
};
class LLCommandHandlerRegistry
{
public:
static LLCommandHandlerRegistry& instance();
void add(const char* cmd,
LLCommandHandler::EUntrustedAccess untrusted_access,
LLCommandHandler* handler);
bool dispatch(const std::string& cmd,
const LLSD& params,
const LLSD& query_map,
const std::string& grid,
LLMediaCtrl* web,
const std::string& nav_type,
bool trusted_browser);
private:
void notifySlurlBlocked();
void notifySlurlThrottled();
friend LLSD LLCommandDispatcher::enumerate();
std::map<std::string, LLCommandHandlerInfo> mMap;
};
// static
LLCommandHandlerRegistry& LLCommandHandlerRegistry::instance()
{
// Force this to be initialized on first call, because we're going
// to be adding items to the std::map before main() and we can't
// rely on a global being initialized in the right order.
static LLCommandHandlerRegistry instance;
return instance;
}
void LLCommandHandlerRegistry::add(const char* cmd,
LLCommandHandler::EUntrustedAccess untrusted_access,
LLCommandHandler* handler)
{
LLCommandHandlerInfo info;
info.mUntrustedBrowserAccess = untrusted_access;
info.mHandler = handler;
mMap[cmd] = info;
}
bool LLCommandHandlerRegistry::dispatch(const std::string& cmd,
const LLSD& params,
const LLSD& query_map,
const std::string& grid,
LLMediaCtrl* web,
const std::string& nav_type,
bool trusted_browser)
{
static F64 last_throttle_time = 0.0;
F64 cur_time = 0.0;
std::map<std::string, LLCommandHandlerInfo>::iterator it = mMap.find(cmd);
if (it == mMap.end()) return false;
const LLCommandHandlerInfo& info = it->second;
if (!trusted_browser)
{
switch (info.mUntrustedBrowserAccess)
{
case LLCommandHandler::UNTRUSTED_ALLOW:
// fall through and let the command be handled
break;
case LLCommandHandler::UNTRUSTED_BLOCK:
// block request from external browser, but report as
// "handled" because it was well formatted.
LL_WARNS_ONCE("SLURL") << "Blocked SLURL command from untrusted browser" << LL_ENDL;
notifySlurlBlocked();
return true;
case LLCommandHandler::UNTRUSTED_CLICK_ONLY:
if (nav_type == LLCommandHandler::NAV_TYPE_CLICKED
&& info.mHandler->canHandleUntrusted(params, query_map, web, nav_type))
{
break;
}
LL_WARNS_ONCE("SLURL") << "Blocked SLURL click-only command " << cmd << " from untrusted browser" << LL_ENDL;
notifySlurlBlocked();
return true;
case LLCommandHandler::UNTRUSTED_THROTTLE:
//skip initial request from external browser before STATE_BROWSER_INIT
if (LLStartUp::getStartupState() == STATE_FIRST)
{
return true;
}
if (!info.mHandler->canHandleUntrusted(params, query_map, web, nav_type))
{
LL_WARNS_ONCE("SLURL") << "Blocked SLURL command from untrusted browser" << LL_ENDL;
notifySlurlBlocked();
return true;
}
// if users actually click on a link, we don't need to throttle it
// (throttling mechanism is used to prevent an avalanche of clicks via
// javascript
if (nav_type == LLCommandHandler::NAV_TYPE_CLICKED)
{
break;
}
cur_time = LLTimer::getElapsedSeconds();
if (cur_time < last_throttle_time + THROTTLE_PERIOD)
{
// block request from external browser if it happened
// within THROTTLE_PERIOD seconds of the last command
LL_WARNS_ONCE("SLURL") << "Throttled SLURL command from untrusted browser" << LL_ENDL;
notifySlurlThrottled();
return true;
}
last_throttle_time = cur_time;
break;
}
}
if (!info.mHandler) return false;
return info.mHandler->handle(params, query_map, grid, web);
}
void LLCommandHandlerRegistry::notifySlurlBlocked()
{
static bool slurl_blocked = false;
if (!slurl_blocked)
{
if (LLStartUp::getStartupState() >= STATE_BROWSER_INIT)
{
// Note: commands can arrive before we initialize everything we need for Notification.
LLNotificationsUtil::add("BlockedSLURL");
}
slurl_blocked = true;
}
}
void LLCommandHandlerRegistry::notifySlurlThrottled()
{
static bool slurl_throttled = false;
if (!slurl_throttled)
{
if (LLStartUp::getStartupState() >= STATE_BROWSER_INIT)
{
// Note: commands can arrive before we initialize everything we need for Notification.
LLNotificationsUtil::add("ThrottledSLURL");
}
slurl_throttled = true;
}
}
//---------------------------------------------------------------------------
// Automatic registration of commands, runs before main()
//---------------------------------------------------------------------------
LLCommandHandler::LLCommandHandler(const char* cmd,
EUntrustedAccess untrusted_access)
{
LLCommandHandlerRegistry::instance().add(cmd, untrusted_access, this);
}
LLCommandHandler::~LLCommandHandler()
{
// Don't care about unregistering these, all the handlers
// should be static objects.
}
//---------------------------------------------------------------------------
// Public interface
//---------------------------------------------------------------------------
// static
bool LLCommandDispatcher::dispatch(const std::string& cmd,
const LLSD& params,
const LLSD& query_map,
const std::string& grid,
LLMediaCtrl* web,
const std::string& nav_type,
bool trusted_browser)
{
return LLCommandHandlerRegistry::instance().dispatch(
cmd, params, query_map, grid, web, nav_type, trusted_browser);
}
static std::string lookup(LLCommandHandler::EUntrustedAccess value);
LLSD LLCommandDispatcher::enumerate()
{
LLSD response;
LLCommandHandlerRegistry& registry(LLCommandHandlerRegistry::instance());
for (std::map<std::string, LLCommandHandlerInfo>::const_iterator chi(registry.mMap.begin()),
chend(registry.mMap.end());
chi != chend; ++chi)
{
LLSD info;
info["untrusted"] = chi->second.mUntrustedBrowserAccess;
info["untrusted_str"] = lookup(chi->second.mUntrustedBrowserAccess);
response[chi->first] = info;
}
return response;
}
/*------------------------------ lookup stuff ------------------------------*/
struct symbol_info
{
const char* name;
LLCommandHandler::EUntrustedAccess value;
};
#define ent(SYMBOL) \
{ \
&#SYMBOL[28], /* skip "LLCommandHandler::UNTRUSTED_" prefix */ \
SYMBOL \
}
symbol_info symbols[] =
{
ent(LLCommandHandler::UNTRUSTED_ALLOW), // allow commands from untrusted browsers
ent(LLCommandHandler::UNTRUSTED_BLOCK), // ignore commands from untrusted browsers
ent(LLCommandHandler::UNTRUSTED_CLICK_ONLY), // allow untrusted, but only if clicked
ent(LLCommandHandler::UNTRUSTED_THROTTLE) // allow untrusted, but only a few per min.
};
#undef ent
static std::string lookup(LLCommandHandler::EUntrustedAccess value)
{
for (symbol_info *sii(symbols), *siend(symbols + (sizeof(symbols)/sizeof(symbols[0])));
sii != siend; ++sii)
{
if (sii->value == value)
{
return sii->name;
}
}
return STRINGIZE("UNTRUSTED_" << value);
}
|