Hi List
I noticed, that one of our CPE copies the Proxy-Authorization HF in almost all messages sent.
As PRACK were not authenticated, those headers were potentially sent on to the destination disclosing the authentication username and realm.
So assuming, if credentials are present, the client wishes them to be validated, I added:
if (has_credentials("$fd")) { xlog("L_INFO", "$cfg(route): got $rm with credentials. Validate them!\n"); route(AUTH); }
and in route[AUTH] I call:
pv_auth_check() which returns 1 thus success upon which I use:
if(!is_method("REGISTER|PUBLISH")) consume_credentials();
If the method is INVITE:
Proxy-Authorization HF is removed by consume_credentials()
if the method is PRACK:
Proxy-Authorization HF is still present on the outbound leg.
Mit freundlichen Grüssen
-Benoît Panizzon-