The problem, as you well know, is that not having the check allows a user A to impersonate the identity of any other user B, as long as user A has his own valid credentials for himself.
-- This message was painstakingly thumbed out on my mobile, so apologies for brevity, errors, and general sloppiness.
Alex Balashov - Principal Evariste Systems LLC 260 Peachtree Street NW Suite 2200 Atlanta, GA 30303 Tel: +1-678-954-0670 Fax: +1-404-961-1892 Web: http://www.evaristesys.com/
On Nov 14, 2011, at 9:00 PM, Juha Heinanen jh@tutpro.com wrote:
Daniel-Constantin Mierla writes:
auth: added new error code to auth API
- AUTH_USER_MISMATCH = -8 -- to be returned when auth user mistmach
from/to header user
daniel,
is this addition backwards compatible with current auth_db, i.e., is the check on by default?
i don't like it to be on by default, since in very common use cases, from/to uri userpart does not match authentication username. for example, from/to userpart could be an e.164 number +something, when auth username could be a name.
-- juha
sr-dev mailing list sr-dev@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev