[OpenSER-Devel] [ openser-Bugs-1969445 ] "check_to" should allow hex escaped username

SourceForge.net noreply at sourceforge.net
Thu May 22 11:09:52 CEST 2008 

Bugs item #1969445, was opened at 2008-05-22 11:09
Message generated for change (Tracker Item Submitted) made by Item Submitter
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=743020&aid=1969445&group_id=139143

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: modules
Group: ver devel
Status: Open
Resolution: None
Priority: 5
Private: No
Submitted By: Iñaki Baz (ibc_sf)
Assigned to: Nobody/Anonymous (nobody)
Summary: "check_to" should allow hex escaped username

Initial Comment:
To be RFC3261 compliant a SIP proxy should accept hex encoded username in any URI, this is:

  sip:alice at domain == sip:%61l%69ce at domain

For allowing this we must use, explicitely, the trnasformation $(rU{s.unescape.user}). Unfortunatelly RFC3261 allows this hex escaping in any URI (From uri, To uri, Contact uri...).

But, is OpenSer ready to allow this escaped system globally? I don't think so. For example I send a REGISTER:

-------------------
REGISTER sip:openser.org SIP/2.0
From: sip:%3800 at openser.org;tag=18349ed0
To: sip:%3800 at openser.org
Contact: sip:800 at 90.90.90.90
-------------------

NOTE that "%3800" == "800".

When OpenSer requires me authentication I send:

-------------------
REGISTER sip:openser.org SIP/2.0
From: sip:%3800 at openser.org;tag=18349ed0
To: sip:%3800 at openser.org
Contact: sip:800 at 90.90.90.90
Authorization: Digest username="800", uri="sip:openser.org", algorithm=MD5, realm="openser.org", nonce="45353832c42ccf694d4f4aad19e3da236a84dd4d", qop=auth, nc=00000001, cnonce="76fe7385", response="6f19337d47752e6bc60b689d2688793f"�
-------------------

NOTE that Digest username is "800" (it cannot be escaped).

But in OpenSer I use "check_to()" to verify if Digest username is equal to username in "To" header, so "check_to()" will try to match "%3800" against "800" and it fails (it decides they are not equivalent while they do be).

The only way to allow it is by modifying "check_to" C code.

This is: the valid escenario described above (REGISTER with hex escaped "To" username) is not valid in OpenSer.

----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=743020&aid=1969445&group_id=139143

More information about the Devel mailing list