[Devel] escaped characters

Wed Dec 13 16:37:42 CET 2006

Juha Heinanen wrote:
> Klaus Darilion writes:
> 
>  > Today I found out that openser does not unescape the escaped characters 
>  > when parsing the message. Thus, it is easy to bypass typical routing 
>  > logic by escaping the digits, e.g.
>  > 
>  > if (uri =~ "^sip:0900.*") {
>  > 	sl_send_reply("403","sex hotlines are not allowed");
>  > 	exit;
>  > }
>  > 
>  > can be tricked by calling sip:%30900...
> 
> yes, if you accept % character in your r-uri to pstn.
> 
>  > Shouldn't we unescape the message when parsing?
> 
> this has been discussed a few times before.  i have suggested that we
> should unescape characters at least in r-uri when request is received
> and then escape them back when request is sent out.

I agree with you - the parameters which will be used for routing 
(matching against regexp or simple if conditions) IMO MUST be unescaped 
to avoid bypassing the check.

Bogdan, Daniel - what do you think?

regards
klaus

-- 
Klaus Darilion
nic.at