Hi,
I'm trying to setup SER to only allow UAs to register their "location" MySQL entry as specified in the "subscriber" table. Currently an authorized user can set an arbritrary value in the "location" table. Whats to prevent 1 authorized user from stealing anothers location entry? For instance:
user1 - REGISTER sip:user1.blah.internal user2 - REGISTER sip:user1.blah.internal
Now user2 has hijacked user1's location.
Thanks JD
Jan,
This is the purpose of the check_to() function in the uri.so module. It check that the URI matches the user. Put this just before you save the location:
if ( ! check_to() ) { sl_send_reply( "401", "Unauthorized" ); break; };
Alistair Cunningham, Integrics Ltd, Telephony, Database, Unix consulting worldwide +44 (0)7870 699 479 http://integrics.com/
Jan Louw wrote:
Hi,
I'm trying to setup SER to only allow UAs to register their "location" MySQL entry as specified in the "subscriber" table. Currently an authorized user can set an arbritrary value in the "location" table. Whats to prevent 1 authorized user from stealing anothers location entry? For instance:
user1 - REGISTER sip:user1.blah.internal user2 - REGISTER sip:user1.blah.internal
Now user2 has hijacked user1's location.
Thanks JD
Serusers mailing list serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
-
Alistair Cunningham -
Jan Louw