[Devel] escaped characters
Daniel-Constantin Mierla
daniel at voice-system.ro
Wed Dec 13 18:10:09 CET 2006
On 12/13/06 17:37, Klaus Darilion wrote:
> Juha Heinanen wrote:
>> Klaus Darilion writes:
>>
>> > Today I found out that openser does not unescape the escaped
>> characters > when parsing the message. Thus, it is easy to bypass
>> typical routing > logic by escaping the digits, e.g.
>> > > if (uri =~ "^sip:0900.*") {
>> > sl_send_reply("403","sex hotlines are not allowed");
>> > exit;
>> > }
>> > > can be tricked by calling sip:%30900...
>>
>> yes, if you accept % character in your r-uri to pstn.
>>
>> > Shouldn't we unescape the message when parsing?
>>
>> this has been discussed a few times before. i have suggested that we
>> should unescape characters at least in r-uri when request is received
>> and then escape them back when request is sent out.
>
> I agree with you - the parameters which will be used for routing
> (matching against regexp or simple if conditions) IMO MUST be
> unescaped to avoid bypassing the check.
>
> Bogdan, Daniel - what do you think?
yes, this should be done, but the case Klaus pointed can have escaped
digits -- in this case I would say not to escape them back (allowed
characters should not be escaped back).
Cheers,
Daniel
>
> regards
> klaus
>
More information about the Devel
mailing list