[Kamailio-Devel] [ openser-Bugs-2740437 ] PUBLISH authentication is wrong
Juha Heinanen
jh at tutpro.com
Thu Apr 16 15:07:27 CEST 2009
Iñaki Baz Castillo writes:
> Imagine the following case:
>
> PUBLISH sip:bob at domain
> From: sip:alice at domain
> To: sip:bob at domain
> Authorization: DIGEST username="alice" ...
>
> If we match the From username against the credentials username
> (alice), then this PUBLISH will be allowed, but the AoR for which it
> will publish the state is "bob at domain".
> This means that anyone could publish the state of other user.
i think we agree on this. it is not the task or authorization module to
decide, if alice is allowed to publish bob's presence.
> > i personally check in my script that from uri of publish matches ruri
> > and thus to me it is irrelevant if authentication user is taken from
> > from uri or ruri.
>
> Yes, finally I agree on it. This patch is wrong since it avoids thirdy
> party authentication (when requiring the presence user agent to
> authenticate).
yes, could you klaus withdraw the your sf submission?
-- juha
More information about the Devel
mailing list