[Kamailio-Devel] [ openser-Bugs-2740437 ] PUBLISH authentication is wrong

Juha Heinanen jh at tutpro.com
Thu Apr 16 15:07:27 CEST 2009

Iñaki Baz Castillo writes:

 > Imagine the following case:
 >   PUBLISH sip:bob at domain
 >   From: sip:alice at domain
 >   To: sip:bob at domain
 >   Authorization: DIGEST username="alice" ...
 > If we match the From username against the credentials username
 > (alice), then this PUBLISH will be allowed, but the AoR for which it
 > will publish the state is "bob at domain".
 > This means that anyone could publish the state of other user.

i think we agree on this.  it is not the task or authorization module to
decide, if alice is allowed to publish bob's presence.

 > > i personally check in my script that from uri of publish matches ruri
 > > and thus to me it is irrelevant if authentication user is taken from
 > > from uri or ruri.
 > Yes, finally I agree on it. This patch is wrong since it avoids thirdy
 > party authentication (when requiring the presence user agent to
 > authenticate).

yes, could you klaus withdraw the your sf submission?

-- juha

More information about the Devel mailing list