Lindens prevent escape

Lindens prevent escape


Keiko Rau and I have finally found why her servers are broken. The answer is simple really. The servers running on the 1.19 update (specifically Second Life Server 1.19.0.79086) have a bug in the llEscapeURL method.


Originally, this method should be escaping any character that is not a-z, A-Z, or 0-9. This makes the other characters safe to send back and forth to other web serves on the internet. When you escape a character, it is tranlated into its hexadecimal equivilent. For example, a plus sign becomes %2B (hex is 0×2B, decimal is 43).


Keiko Rau was only affected by one character. The equal sign. She had url encoded a base64 string and then created a hash on it. The hash didn’t match what her server expected because those values are automatically url decoded on her web server (except the now non-encoded equal signs). I am not sure of the exact details, but the encoding was the heart of the matter.


I created a script to discover the extent of the problem. I simply looped through 0 to 255 and recorded the corresponding ascii character value in a list. I then hopped on over to a 1.18 havok sim and compared the values. A list of values were spit out of what didn’t match.

Los Arboles (81, 236) - Feb 1, 2008 (217 days ago) by Dedric Mauriac

Tags for this Snapshot

0 09 0x2b 1 18 19 255 2b 43 79086 affected answer arboles ascii automatically az back base64 broken bug character characters compared created decimal decoded details discover encoded encoding equal equivilent escape escaping exact expected extent finally found hash havok heart hex hexadecimal hopped internet keiko life lindens list llescapeurl looped los makes match matter method nonencoded originally p prevent problem rau recorded running safe script send server servers serves sign signs sim simple simply specifically spit string tranlated update url values web

Leave a Comment

You're not logged in. If you want to post a comment, please log in.

Snapshots Nearby

Here are some other snapshots from this area:

Dancing to Desoto
Dancing to Desoto
75 meters south west.
Sep 6, 2008 (24 mins ago)
more from Madison Carnot
It's Rich!
It's Rich!
76 meters south west.
Sep 6, 2008 (27 mins ago)
more from Madison Carnot
Silly Hats!
Silly Hats!
264 meters north west.
Sep 3, 2008 (2 days ago)
more from Madison Carnot
Half Mast
Half Mast
275 meters north west.
Sep 2, 2008 (3 days ago)
more from Madison Carnot
For Su
For Su
256 meters north west.
Sep 2, 2008 (3 days ago)
more from Crap Mariner
Where's the water?
Where's the water?
171 meters west.
Aug 27, 2008 (9 days ago)
more from TheDiva Rockin
Clocktower Hijack
Clocktower Hijack
273 meters north west.
Aug 27, 2008 (9 days ago)
more from Dedric Mauriac
just another night
just another night
253 meters north west.
Aug 26, 2008 (10 days ago)
more from beladona Memorial
The Boyfriend
The Boyfriend
161 meters north west.
Aug 26, 2008 (10 days ago)
more from TheDiva Rockin
never know
never know
166 meters west.
Aug 16, 2008 (21 days ago)
more from beladona Memorial

Send in your snapshots

To send in your own snapshots, simply send them as postcards to pics@slbuzz.com directly from within Second Life. You don't even need to be an SLBuzz member! So give it a shot!

If you want to, we can even crosspost them to your flickr account automagically—simply link your SLBuzz account with flickr, and send snapshots to flickr@slbuzz.com.