[Kamailio-Devel] [ openser-Bugs-2740437 ] PUBLISH authentication is wrong

Iñaki Baz Castillo ibc at aliax.net
Thu Apr 16 14:56:19 CEST 2009

2009/4/16 Juha Heinanen <jh at tutpro.com>:
> SourceForge.net writes:
>  > For PUBLISH requests, Authentication user should be checked against
>  > RURI. Thus, realm should be derived from RURI too.
>  >
>  > Can someone please review the patch - I am not sure if the usage of
>  > &(_m->parsed_uri) is correct in this situation.

> i can take care of the patch, but i would like first to understand, why
> publish authentication should be done based on request uri.  is this
> because of third party publish or what?  normally the user itself (in
> from header) sends the publish.

Imagine the following case:

  PUBLISH sip:bob at domain
  From: sip:alice at domain
  To: sip:bob at domain
  Authorization: DIGEST username="alice" ...

If we match the From username against the credentials username
(alice), then this PUBLISH will be allowed, but the AoR for which it
will publish the state is "bob at domain".
This means that anyone could publish the state of other user.

RFC 3903 (PUBLISH) states it clearly: the RURI is the target AoR for
which the PUBLISH will take effect on the presence server. If we want
to allow third party publish, then our script should allow it (as if
we allow thirdy party registration).

Anyway I don't agree on the patch behaviour. For PUBLISH the
credentials username should be matched against the From username. For
example, a presence user agent (pua at domain) could publish state for
bob at domain.org, but we still need pua to authenticate against us. In
my opinion, the logical behaviour would be:

is_method("PUBLISH") {

  if !  check_from() {
    sl_send_reply("403", "You are not who you say");

  if au != fu {
      if fu == "sip:pua at domain" {
        xlog("L_INFO", "Thirdy party PUBLISH allowed for PUA \n");
      else {
        sl_send_reply("403", "Thirdy Party PUBLISH not allowed for you");


> i personally check in my script that from uri of publish matches ruri
> and thus to me it is irrelevant if authentication user is taken from
> from uri or ruri.

Yes, finally I agree on it. This patch is wrong since it avoids thirdy
party authentication (when requiring the presence user agent to

Iñaki Baz Castillo
<ibc at aliax.net>

More information about the Devel mailing list