On 01/09/15 10:08, Daniel Tryba wrote:
On Tuesday 01 September 2015 08:58:30 Daniel-Constantin Mierla wrote:
if($rd!=$fd) { send_reply("403", "Call outside the domain"); exit; }
What is stopping from people from setting $fd to the desired domain? Isn't $ad a better var. for this since it isn't dependend on user supplied data (well it is but then authenication will fail). Otherwise $fd should be used for authentication challenge/response.
The From domain is used to fetch the password along with the authentication username, so should be safe, because if the user uses the wrong domain, it won't get the password from db.
The authorization header might not carry any domain for the user, a quick look at the source, $ad is pointing to the domain part of the username attribute in the authorization header. From my experience, username without domain in authorization header is the common.
Also, there should be checks that should not allow a From address that is not associated with the authentication username, with kamailio default config we enforce that From username is same as auth username.
Cheers, Daniel