Hi Conor,
see inline
On Friday 10 December 2004 17:49, Bob Cat wrote:
I've noticed most scripts checking from and to parts are somewhat flawed. Eg:
# if sender claims to be in our domain in From header field.... if (search("(f|From): .*@mydomain.com)) { .... };
Looks ok right? Not really - I'll explain why.
I wanted my REGISTER request's host part to match my realm exactly to avoid uri==myself matching and then the above example not matching. A user could register @sipserver.mydomain.com and it would be accepted. They'd be from our domain but without a check. So I did this:
if (method=="REGISTER") { if (search("^To: .*@mydomain.com")) { authenticate } else { no thanks }
But, this can be spoofed by setting a name (eg in kphone) with a domain part. The To part of the sip register message will then look like this:
To: "Hello @mydomain.com" sip:2001@sipserver.mydomain.com
And it will match. Bummer. Use check_to (I hope the parsing of this field is accurate, I might take a look at the source!), or use a regexp like:
search("^To: .*sip:[^@]+@mydomain.com");
Hope that does it.
To: "regexp fake sip:foobar@mydomain" sip:2001@sipserver.mydomain.com
Just my 2 cents :-)
Greetings Nils