[Kamailio-Devel] [ openser-Bugs-2740437 ] PUBLISH authentication is wrong

SourceForge.net noreply at sourceforge.net
Tue May 19 09:31:22 CEST 2009 

Bugs item #2740437, was opened at 2009-04-07 14:28
Message generated for change (Comment added) made by miconda
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=743020&aid=2740437&group_id=139143

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: modules
Group: ver devel
Status: Open
Resolution: None
Priority: 7
Private: No
Submitted By: Klaus Darilion (klaus_darilion)
Assigned to: Nobody/Anonymous (nobody)
Summary: PUBLISH authentication is wrong

Initial Comment:
Hi!

For PUBLISH requests, Authentication user should be checked against RURI. Thus, realm should be derived from RURI too.

Can someone please review the patch - I am not sure if the usage of &(_m->parsed_uri) is correct in this situation.

thanks


----------------------------------------------------------------------

>Comment By: Daniel-Constantin Mierla (miconda)
Date: 2009-05-19 10:31

Message:
IMO, the from has to be auth'ed as well. Other opinions? Can we close
this?

Anyhow, auth module allows to use username from any field with
pv_proxy|www_authorize(). proxy|www_challenge() takes any PV as realm
parameter. So the behaviour can be achieved with sqlops (to load passwed
from db) and auth for the rest.

----------------------------------------------------------------------

Comment By: Iñaki Baz Castillo (ibc_sf)
Date: 2009-04-16 16:50

Message:
I copy part of my mail in devel maillist about this report:

I don't agree on the patch behaviour. For PUBLISH the credentials username
should be matched against the From username. For example, a presence user
agent (pua at domain) could publish state for bob at domain.org, but we still
need pua to authenticate against us. In my opinion, the logical behaviour
would be:

is_method("PUBLISH") {

 if !  check_from() {
   sl_send_reply("403", "You are not who you say");
   exit();
 }

 if au != fu {
     if fu == "sip:pua at domain" {
       xlog("L_INFO", "Thirdy party PUBLISH allowed for PUA \n");
     }
     else {
       sl_send_reply("403", "Thirdy Party PUBLISH not allowed for you");
       exit();
    }
 }

}


So I consider the proposed patch as wrong since it avoids authenticated
thirdy party publish.


----------------------------------------------------------------------

Comment By: Iñaki Baz Castillo (ibc_sf)
Date: 2009-04-14 18:23

Message:
I have no checked the patch yet, but I confirm that for PUBLISH, the RURI
should be checked instead of the From or To.

----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=743020&aid=2740437&group_id=139143

More information about the Devel mailing list