[Devel] escaped characters
Juha Heinanen
jh at tutpro.com
Wed Dec 13 16:33:13 CET 2006
Klaus Darilion writes:
> Today I found out that openser does not unescape the escaped characters
> when parsing the message. Thus, it is easy to bypass typical routing
> logic by escaping the digits, e.g.
>
> if (uri =~ "^sip:0900.*") {
> sl_send_reply("403","sex hotlines are not allowed");
> exit;
> }
>
> can be tricked by calling sip:%30900...
yes, if you accept % character in your r-uri to pstn.
> Shouldn't we unescape the message when parsing?
this has been discussed a few times before. i have suggested that we
should unescape characters at least in r-uri when request is received
and then escape them back when request is sent out.
-- juha
More information about the Devel
mailing list