26 Sep
2024
26 Sep
'24
10:26 a.m.
### Description
`secf_check_sqli_all();` block requests when a single quote is present in From name :
```
From: "O'Reilly" <sip:100@example.net>;tag=abcd
```
Since single quotes are frequent in names.
It makes it difficult to use this function.
### Possible Solutions
A solution would be to skip single quote check in From name.
I'll write the PR if you are OK with this solution
--
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/issues/3984
You are receiving this because you are subscribed to this thread.
Message ID: <kamailio/kamailio/issues/3984(a)github.com>
26 Sep
26 Sep
10:40 a.m.
New subject: [kamailio/kamailio] Secfilter : Allow single quotes in From name (Issue #3984)
I think the purpose of the secf_check_sqli_all() function is to prevent characters related
to SQL injection, not to check for valid SIP syntax. In this context the filtering of
single quotes is necessary. So this function is probably not useful for your purpose then.
If you are concerned about blocking characters which are not valid according to the SIP
grammar, you should use the sanity module.
--
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/issues/3984#issuecomment-2376165755
You are receiving this because you are subscribed to this thread.
Message ID: <kamailio/kamailio/issues/3984/2376165755(a)github.com>
12:12 p.m.
New subject: [kamailio/kamailio] Secfilter : Allow single quotes in From name (Issue #3984)
Thomas, I think it might be interesting to avoid the check in the From Name, can you write
the PR?
--
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/issues/3984#issuecomment-2376393149
You are receiving this because you are subscribed to this thread.
Message ID: <kamailio/kamailio/issues/3984/2376393149(a)github.com>
12:38 p.m.
New subject: [kamailio/kamailio] Secfilter : Allow single quotes in From name (Issue #3984)
If you want to go for it, it probably make sense to adapt a flag based parameter for the
check. Something like:
- flag 1: skip From Name
- flag 2: skip To Name
- ..
Use e.g. like this: secf_check_sqli_all("3") to skip checking From and To Name.
--
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/issues/3984#issuecomment-2376449867
You are receiving this because you are subscribed to this thread.
Message ID: <kamailio/kamailio/issues/3984/2376449867(a)github.com>
12:58 p.m.
New subject: [kamailio/kamailio] Secfilter : Allow single quotes in From name (Issue #3984)
Right now it is possible to check only some of the headers you are interested in using:
secf_check_sqli_hdr($ua);
The function secf_check_sqli_all(); checks all the headers and, it is true that in the
From Name header check, the double quotes are omitted, but I forgot to omit the single
quotes, maybe because in my country it is not common to use it in the name.
I think it would be enough to omit the single quote in the From Name header. Also, we
usually find SQL injections in the User, Domain fields and in the URI.
--
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/issues/3984#issuecomment-2376494517
You are receiving this because you are subscribed to this thread.
Message ID: <kamailio/kamailio/issues/3984/2376494517(a)github.com>
1:01 p.m.
New subject: [kamailio/kamailio] Secfilter : Allow single quotes in From name (Issue #3984)
Ok, if its supposed to be excluded from the Name fields, then surely it just can be fixed.
Would be probably good to add a sentence to the documentation about it that the Names are
less thouroughly checked.
--
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/issues/3984#issuecomment-2376501103
You are receiving this because you are subscribed to this thread.
Message ID: <kamailio/kamailio/issues/3984/2376501103(a)github.com>
4 Oct
4 Oct
9:43 a.m.
New subject: [kamailio/kamailio] Secfilter : Allow single quotes in From name (Issue #3984)
The function secf_check_sqli_all(); checks all the
headers and, it is true that in the From Name header check, the double quotes are omitted,
but I forgot to omit the single quotes, maybe because in my country it is not common to
use it in the name.
Double quotes are ignored in From Name by the function `secf_get_from` only if they are
located at the first or last position of the string. Appart from first and last chars,
From Name is is checked with `sf_check_sqli` as other fields. Here I suggest to completly
remove single quote check in From Name.
Are still OK to remove single quote check in From Name ? And maybe in To Name? Or do we
need flags as proposed by @henningw earlier ?
--
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/issues/3984#issuecomment-2392939595
You are receiving this because you are subscribed to this thread.
Message ID: <kamailio/kamailio/issues/3984/2392939595(a)github.com>
10:20 a.m.
New subject: [kamailio/kamailio] Secfilter : Allow single quotes in From name (Issue #3984)
I think in From Name you can only have double quotes at the beginning or at the end.
That's why it is only checked in the first or last position. Maybe I'm wrong.
Imho you can remove single quotes in From Name, and you can apply the same rules, for
single and double quotes, to To Name
--
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/issues/3984#issuecomment-2392999941
You are receiving this because you are subscribed to this thread.
Message ID: <kamailio/kamailio/issues/3984/2392999941(a)github.com>
31
days inactive
39
days old
7 comments
3 participants
participants (3)
-
Henning Westerholt -
Jose Luis Verdeguer
-
ThomasSevestre