Hi Conor,
see inline
On Friday 10 December 2004 17:49, Bob Cat wrote:
I've noticed most scripts checking from and to
parts are somewhat flawed.
Eg:
# if sender claims to be in our domain in From header field....
if (search("(f|From): .*(a)mydomain.com)) {
....
};
Looks ok right? Not really - I'll explain why.
I wanted my REGISTER request's host part to match my realm exactly to
avoid uri==myself matching and then the above example not
matching. A user could register @sipserver.mydomain.com and it would be
accepted. They'd be from our domain but without a check. So I did this:
if (method=="REGISTER") {
if (search("^To: .*(a)mydomain.com"))
{ authenticate }
else { no thanks }
But, this can be spoofed by setting a name (eg in kphone) with a domain
part.
The To part of the sip register message will then look like this:
To: "Hello @mydomain.com" <sip:2001@sipserver.mydomain.com>
And it will match. Bummer. Use check_to (I hope the parsing of this field
is accurate,
I might take a look at the source!), or use a regexp like:
search("^To: .*sip:[^@]+@mydomain.com");
Hope that does it.
To: "regexp fake sip:foobar@mydomain" <sip:2001@sipserver.mydomain.com>
Just my 2 cents :-)
Greetings
Nils