[Devel] escaped characters
Klaus Darilion
klaus.mailinglists at pernau.at
Wed Dec 13 13:34:11 CET 2006
Hi!
Today I found out that openser does not unescape the escaped characters
when parsing the message. Thus, it is easy to bypass typical routing
logic by escaping the digits, e.g.
if (uri =~ "^sip:0900.*") {
sl_send_reply("403","sex hotlines are not allowed");
exit;
}
can be tricked by calling sip:%30900...
Shouldn't we unescape the message when parsing?
How about CRLF in URIs? Are they parsed correctly so that matching
against a regular expression works?
regards
klaus
--
Klaus Darilion
nic.at
More information about the Devel
mailing list