Difference between revisions of "LSL Protocol/Restrained Love Relay/Bugs and Pending Features"
Jump to navigation
Jump to search
Maike Short (talk | contribs) |
m (<lsl> tag to <source>) |
||
(73 intermediate revisions by 9 users not shown) | |||
Line 1: | Line 1: | ||
{{Restrained Life Relay Specs TOC}} | {{Restrained Life Relay Specs TOC}} | ||
== Stuck: Accepting Permission Dialog after !release == | == Functions in discussion/development == | ||
* [[LSL Protocol/Restrained Life Relay/resetting environment settings|resetting environment settings]] | |||
* [[LSL Protocol/Restrained Life Relay/pong handling contradiction|pong handling contradiction]] | |||
* [[LSL Protocol/Restrained Life Relay/delay|delay]] | |||
* [[LSL Protocol/Restrained Life Relay/gender|gender]] | |||
== Discussion about new features in 1.040 == | |||
* [[LSL Protocol/Restrained Life Relay/vision|vision restriction]] | |||
* [[LSL Protocol/Restrained Life Relay/handover|handover]] | |||
* [[LSL Protocol/Restrained Life Relay/who|who]] | |||
* [[LSL Protocol/Restrained Life Relay/editorial changes|editorial changes]] | |||
== 1.040 == | |||
Maike Short single script version | |||
; Description : In listen event for the permission dialog, message is always freed before being send to the process function => message is never handled and permission never given. | |||
; Discovered by : herina Bode | |||
; Fix : Replace call to processDialogResponse(id, message) by processDialogResponse(id, currentMessage); | |||
== 1.030 == | |||
=== isObjectNear and non existing objects === | |||
; Description : If an objects does not exist (anymore) in the current sim and its neighbors, llGetObjectDetails returns <0, 0, 0> which means it is wrongly detected as being close if you are within 100m to that locations | |||
; Discovered by : Kitty Barnett | |||
; Fix : [https://wiki.secondlife.com/w/index.php?title=LSL_Protocol%2FRestrained_Life_Relay%2FOther_Implementations%2FMaike_Short%27s_Relay&diff=262273&oldid=255372 Maike's fix] | |||
=== groupless objects are trusted on parcels not set to a group === | |||
; Description : On a parcel which is not set to a group, the not-owner warning is not displayed for groupless objects | |||
; Discovered by : Kitty Barnett | |||
; Fix : [https://wiki.secondlife.com/w/index.php?title=LSL_Protocol%2FRestrained_Life_Relay%2FOther_Implementations%2FMaike_Short%27s_Relay&diff=262273&oldid=255372 Maike's fix] | |||
=== Fake Avatar Chat === | |||
; Description : 1. An object can remove the guarding prefix for chatting on channel using =y. 2. An object can use @getstatus=n or @getstatus=-1 (and in some cased @getstatus=some random text) to cause the agent to should on public chat. This does work for the other query commands as well. | |||
; Discovered by : Marissa Mistwallow and Maike Short | |||
; Affected relays : I did some quick tests on a number of different relays and so far all have been vulnerable (including my own one) to one or both of theses attacks. | |||
; Fix : [https://wiki.secondlife.com/w/index.php?title=LSL_Protocol%2FRestrained_Life_Relay%2FOther_Implementations%2FMaike_Short%27s_Relay&diff=255362&oldid=253182 Maike's fix] | |||
== 1.020 == | |||
Version 1.020 reintroduces all the problems listed in 1.014. | |||
=== Foreign Channel Chat === | |||
; Discovered by : Maike Short | |||
; Description : An object can force the agent to say any lower case text on any channel using @getstatus | |||
; Note : Relays which do not add any restriction on their own (like @detach=n) may be abused using @gestatus to trigger dialog responses, gag talk or other scripts like "to buy as gift, say the name of the receiver on channel /''x''". Any version of the reference implementation smaller than (not including) 1.015 (but including 1.020 which is based on 1.014) are affected by this. | |||
; Workaround : none | |||
; Fixed : in [[LSL Protocol/Restrained Life Relay/Other Implementations/Maike Short's Relay|Maike Short's Relay]] | |||
; Proposed fixed : Add "this-is-a-script-generated-message-beyond-the-control-of-the-agent/" at the beginning of @getstatus-replies on all channel by issuing this as the very first restriction. This still allows to trigger gags but it will include a human readable warning (if you speak Gagish well enough). The usual "to buy as gift, say the name of the receiver on channel /''x''" scripts will try to resolve this text as part of the name and will fail because such long avatar names are not allowed. Other scripts waiting for commands are very likely not to accept this text either. A more secure solution would be to define one single channel which must be used for such queries but that would break a lot of content. | |||
:: It would probably be sufficient to "ko" @getstatus=x requests where x < 1000. Most gags or other scripts that expect human-typed channel numbers stick to < 1000, whereas most furniture looking for status use much larger channel numbers (mine use random channels, but with a minimum of 1000000, for example). --Julia Banshee | |||
::: I agree that disallowing low channel numbers for all query types may be a good idea and I am not objecting a change of the spec although it has a low change of breaking content. (Well, since Marine is back, i can easily say this without having to think about all the time it will cost me to talk to affected people). I strongly suggest, however, to put something at the beginning of @getstatus replies anyway. Fixed high level channels with a filter to the owner are sometimes used for debugging. (Yes, I am having a concrete object in my mind). --[[User:Maike Short|Maike Short]] 11:03, 18 September 2008 (PDT) | |||
:: This problem appears related to the Fake Avatar Chat above. This issue could be fixed with the RLV Viewer itself, by simply discarding invalid restrictions, preventing this from ocurring in the first place and improving the performance of every relay out there by removing unnecessary checks. --[[User:Da Chrome|Da Chrome]] 7 December 2011 | |||
=== Foreign Public Chat === | |||
; Discovered by : Maike Short | |||
; Description : An object can force the agent to say any text in public chat using @getstatus=0 and use similar functions (like @version) to spam other text there. | |||
; Note : This allows the same abuse mentioned in the above entry, too. But being public chat makes even non abusable cases very annoying. | |||
; Workaround : none | |||
; Fixed : in the Restraint Life Viewer version 1.12.4. For older viewers the relay should prevent it: [[LSL Protocol/Restrained Life Relay/Other Implementations/Maike Short's Relay|Maike Short's Relay]] | |||
; Proposed fixed : The relay should filter all queries directed to answer on channel 0 for Restraint Life Viewer version 1.12.3 and lower. Add this at the end of the huge if / else if / else if block in executeRLVCommand | |||
<source lang="lsl2"> | |||
else if ((integer) param == 0) { | |||
// this is either an unknown param (not "n", "add", "y", "rem", "force") | |||
// or a query which should be answered on the public chat channel 0. | |||
ack(cmd_id, id, command, "ko"); | |||
return; | |||
} | |||
</source> | |||
=== Relay Crash in Ask mode === | |||
; Discovered by : Maike Short | |||
; Description : A malicious objects scans for all avatars within the sensor range. For each avatar a new object is rezes out of the content. This objects sends 10 messages to the relay each of about 1000 characters causing sPendingMessage to overflow. After the 10 messages are send these objects die making tracking very difficult. | |||
; Note : Some relays accept commands from objects more than <del>20</del>100 meters away so the attacking objects can be hidden far away. | |||
; Workaround : None | |||
; Open : although fixed in version 1.15 it was reintroduced by the revert in version 1.02 | |||
== 1.015 == | |||
The below problems are fixed [[LSL_Protocol/Restrained_Life_Relay/Other_Implementations/Maike_Short's_Relay|here]], except for the forced sit issue below. | |||
== 1.014 == | |||
The following problems occured in version 1.014 and have been fixed: | |||
=== Stuck: Accepting Permission Dialog after !release === | |||
; Discovered by : Maike Short | ; Discovered by : Maike Short | ||
; Workaround : Don't accept requests after you have been freed. In case it happend, reenter the cage / sit down again; relog. | ; Workaround : Don't accept requests after you have been freed. In case it happend, reenter the cage / sit down again; relog. | ||
; Fixed : in | ; Fixed : in 1.015 | ||
== Force Sit during Login on the control object instead of the forced-sit one == | === Force Sit during Login on the control object instead of the forced-sit one === | ||
; Discovered by : Azoth Amat | ; Discovered by : Azoth Amat | ||
; Workaround : | ; Workaround : Always send a "@sit:<id>=force" command if you want a forced sit on relog, even if the victim is already sitting. | ||
; | ; Fix : change in <code>timer()</code>: <code>sendRLCmd ("@sit:"+(string)kSource+"=force");</code> to <code>sendRLCmd ("@sit:"+(string)lastForceSitDestination+"=force");</code> | ||
; Note : This prevents @unsit to work in case the person set down without being forced. | ; Note : This prevents @unsit to work in case the person set down without being forced if the furniture in question hasn't sent a @sit:<id>=force command. (This should probably be considered a bug in the furniture, not the relay.) | ||
; Fixed : in 1.015 (but that fix breaks other things, forcing sits when not appropriate), and 1.02 (that fix always works, assuming the furniture is properly setting the @sit destination) | |||
:: Sending a bogus force sit on sit as you suggested may not work if force-sits are filtered. As far as I know there is no way for an attachment to detect the object the avatar is sitting on. So the relay will not be able to tell real force-sits (which should be subjected to the filter) and bogus force-sits for this problem apart. | |||
:: It could accept a force-sit on the control-object but this would allow to kidnap an agent sitting on an other object. Well, the same can happen with my approach of using the sending object as fall back. Could you give an example for a forced sit when not appropriate with my approach? This may reveal other aspects of the problem. | |||
:: The specification says "Force sit if unsit is prevented when relogging" in "Relay requirements" so I think objects that just send @unsit=n without force-sit should not be called buggy. If it turns out the current approach does cause more problems than it fixes it may be worth to adjust the spec. But this will cause existing world object to break so should not be taken lightly. --[[User:Maike Short|Maike Short]] 12:55, 17 September 2008 (PDT) | |||
== Stuck on crash/relog with objects asking for relay upon being sat on == | === Stuck on crash/relog with objects asking for relay upon being sat on === | ||
; Discovered by : Gregor Mougin | ; Discovered by : Gregor Mougin | ||
Line 20: | Line 118: | ||
; Workaround : none | ; Workaround : none | ||
; Suggested fix : | ; Suggested fix : | ||
< | <source lang="diff"> | ||
--- RLV_v1.014a 2008-07-06 23:17:14.000000000 +0200 | --- RLV_v1.014a 2008-07-06 23:17:14.000000000 +0200 | ||
+++ RLV_v1.014a-xxx 2008-07-06 23:18:32.000000000 +0200 | +++ RLV_v1.014a-xxx 2008-07-06 23:18:32.000000000 +0200 | ||
Line 63: | Line 161: | ||
{ | { | ||
debug("asking for permission because kSource is NULL_KEY"); | debug("asking for permission because kSource is NULL_KEY"); | ||
</ | </source> | ||
; Fixed : in 1.015 by specially looking for the !pong reply so that the fix works for cages as well (no "force sit" in this situation but a collision detection which is triggered on login, too). |
Latest revision as of 12:22, 25 January 2015
Functions in discussion/development
Discussion about new features in 1.040
1.040
Maike Short single script version
- Description
- In listen event for the permission dialog, message is always freed before being send to the process function => message is never handled and permission never given.
- Discovered by
- herina Bode
- Fix
- Replace call to processDialogResponse(id, message) by processDialogResponse(id, currentMessage);
1.030
isObjectNear and non existing objects
- Description
- If an objects does not exist (anymore) in the current sim and its neighbors, llGetObjectDetails returns <0, 0, 0> which means it is wrongly detected as being close if you are within 100m to that locations
- Discovered by
- Kitty Barnett
- Fix
- Maike's fix
groupless objects are trusted on parcels not set to a group
- Description
- On a parcel which is not set to a group, the not-owner warning is not displayed for groupless objects
- Discovered by
- Kitty Barnett
- Fix
- Maike's fix
Fake Avatar Chat
- Description
- 1. An object can remove the guarding prefix for chatting on channel using =y. 2. An object can use @getstatus=n or @getstatus=-1 (and in some cased @getstatus=some random text) to cause the agent to should on public chat. This does work for the other query commands as well.
- Discovered by
- Marissa Mistwallow and Maike Short
- Affected relays
- I did some quick tests on a number of different relays and so far all have been vulnerable (including my own one) to one or both of theses attacks.
- Fix
- Maike's fix
1.020
Version 1.020 reintroduces all the problems listed in 1.014.
Foreign Channel Chat
- Discovered by
- Maike Short
- Description
- An object can force the agent to say any lower case text on any channel using @getstatus
- Note
- Relays which do not add any restriction on their own (like @detach=n) may be abused using @gestatus to trigger dialog responses, gag talk or other scripts like "to buy as gift, say the name of the receiver on channel /x". Any version of the reference implementation smaller than (not including) 1.015 (but including 1.020 which is based on 1.014) are affected by this.
- Workaround
- none
- Fixed
- in Maike Short's Relay
- Proposed fixed
- Add "this-is-a-script-generated-message-beyond-the-control-of-the-agent/" at the beginning of @getstatus-replies on all channel by issuing this as the very first restriction. This still allows to trigger gags but it will include a human readable warning (if you speak Gagish well enough). The usual "to buy as gift, say the name of the receiver on channel /x" scripts will try to resolve this text as part of the name and will fail because such long avatar names are not allowed. Other scripts waiting for commands are very likely not to accept this text either. A more secure solution would be to define one single channel which must be used for such queries but that would break a lot of content.
- It would probably be sufficient to "ko" @getstatus=x requests where x < 1000. Most gags or other scripts that expect human-typed channel numbers stick to < 1000, whereas most furniture looking for status use much larger channel numbers (mine use random channels, but with a minimum of 1000000, for example). --Julia Banshee
- I agree that disallowing low channel numbers for all query types may be a good idea and I am not objecting a change of the spec although it has a low change of breaking content. (Well, since Marine is back, i can easily say this without having to think about all the time it will cost me to talk to affected people). I strongly suggest, however, to put something at the beginning of @getstatus replies anyway. Fixed high level channels with a filter to the owner are sometimes used for debugging. (Yes, I am having a concrete object in my mind). --Maike Short 11:03, 18 September 2008 (PDT)
- It would probably be sufficient to "ko" @getstatus=x requests where x < 1000. Most gags or other scripts that expect human-typed channel numbers stick to < 1000, whereas most furniture looking for status use much larger channel numbers (mine use random channels, but with a minimum of 1000000, for example). --Julia Banshee
- This problem appears related to the Fake Avatar Chat above. This issue could be fixed with the RLV Viewer itself, by simply discarding invalid restrictions, preventing this from ocurring in the first place and improving the performance of every relay out there by removing unnecessary checks. --Da Chrome 7 December 2011
Foreign Public Chat
- Discovered by
- Maike Short
- Description
- An object can force the agent to say any text in public chat using @getstatus=0 and use similar functions (like @version) to spam other text there.
- Note
- This allows the same abuse mentioned in the above entry, too. But being public chat makes even non abusable cases very annoying.
- Workaround
- none
- Fixed
- in the Restraint Life Viewer version 1.12.4. For older viewers the relay should prevent it: Maike Short's Relay
- Proposed fixed
- The relay should filter all queries directed to answer on channel 0 for Restraint Life Viewer version 1.12.3 and lower. Add this at the end of the huge if / else if / else if block in executeRLVCommand
else if ((integer) param == 0) {
// this is either an unknown param (not "n", "add", "y", "rem", "force")
// or a query which should be answered on the public chat channel 0.
ack(cmd_id, id, command, "ko");
return;
}
Relay Crash in Ask mode
- Discovered by
- Maike Short
- Description
- A malicious objects scans for all avatars within the sensor range. For each avatar a new object is rezes out of the content. This objects sends 10 messages to the relay each of about 1000 characters causing sPendingMessage to overflow. After the 10 messages are send these objects die making tracking very difficult.
- Note
- Some relays accept commands from objects more than
20100 meters away so the attacking objects can be hidden far away. - Workaround
- None
- Open
- although fixed in version 1.15 it was reintroduced by the revert in version 1.02
1.015
The below problems are fixed here, except for the forced sit issue below.
1.014
The following problems occured in version 1.014 and have been fixed:
Stuck: Accepting Permission Dialog after !release
- Discovered by
- Maike Short
- Workaround
- Don't accept requests after you have been freed. In case it happend, reenter the cage / sit down again; relog.
- Fixed
- in 1.015
Force Sit during Login on the control object instead of the forced-sit one
- Discovered by
- Azoth Amat
- Workaround
- Always send a "@sit:<id>=force" command if you want a forced sit on relog, even if the victim is already sitting.
- Fix
- change in
timer()
:sendRLCmd ("@sit:"+(string)kSource+"=force");
tosendRLCmd ("@sit:"+(string)lastForceSitDestination+"=force");
- Note
- This prevents @unsit to work in case the person set down without being forced if the furniture in question hasn't sent a @sit:<id>=force command. (This should probably be considered a bug in the furniture, not the relay.)
- Fixed
- in 1.015 (but that fix breaks other things, forcing sits when not appropriate), and 1.02 (that fix always works, assuming the furniture is properly setting the @sit destination)
- Sending a bogus force sit on sit as you suggested may not work if force-sits are filtered. As far as I know there is no way for an attachment to detect the object the avatar is sitting on. So the relay will not be able to tell real force-sits (which should be subjected to the filter) and bogus force-sits for this problem apart.
- It could accept a force-sit on the control-object but this would allow to kidnap an agent sitting on an other object. Well, the same can happen with my approach of using the sending object as fall back. Could you give an example for a forced sit when not appropriate with my approach? This may reveal other aspects of the problem.
- The specification says "Force sit if unsit is prevented when relogging" in "Relay requirements" so I think objects that just send @unsit=n without force-sit should not be called buggy. If it turns out the current approach does cause more problems than it fixes it may be worth to adjust the spec. But this will cause existing world object to break so should not be taken lightly. --Maike Short 12:55, 17 September 2008 (PDT)
Stuck on crash/relog with objects asking for relay upon being sat on
- Discovered by
- Gregor Mougin
- Problem
- Many objects check for presence of a relay and the RR viewer by asking for the !version when sat on. If the user crashes, and the object was used by someone else in the meantime (or, for testing, reset), the relay enforces all previous restrictions whereas the object doesn't know of them.
- Workaround
- none
- Suggested fix
--- RLV_v1.014a 2008-07-06 23:17:14.000000000 +0200
+++ RLV_v1.014a-xxx 2008-07-06 23:18:32.000000000 +0200
@@ -545,10 +545,16 @@
loginPendingForceSit = FALSE;
releaseRestrictions();
}
- else
- {
- sendRLCmd ("@sit:"+(string)kSource+"=force");
- }
+ // XXX
+ // DON'T do it here
+ // Some (many?) objects ask the relay for the !version upon
+ // sitting on it. Since the !version is interpreted the same
+ // as !pong, the relay would think the object is still available
+ // and put all restrictions on the wearer unconditionally.
+ //else
+ //{
+ // sendRLCmd ("@sit:"+(string)kSource+"=force");
+ //}
}
if (!loginPendingForceSit && !loginWaitingForPong)
@@ -583,6 +589,18 @@
loginWaitingForPong = FALSE; // whatever the message, it is for me => it satisfies the ping request
+ // XXX
+ // force sit here instead of unconditionally in the timer event
+ if (loginPendingForceSit)
+ {
+ integer agentInfo = llGetAgentInfo(llGetOwner());
+
+ loginPendingForceSit = FALSE;
+ if (!(agentInfo & AGENT_SITTING))
+ sendRLCmd ("@sit:"+(string)kSource+"=force");
+ }
+ // end XXX
+
if (!isObjectKnow(id))
{
debug("asking for permission because kSource is NULL_KEY");
- Fixed
- in 1.015 by specially looking for the !pong reply so that the fix works for cages as well (no "force sit" in this situation but a collision detection which is triggered on login, too).