[sr-dev] git:sr_3.0: modules_k/nathelper: handle_uri_alias() alias handling fix
Juha Heinanen
jh at tutpro.com
Wed Dec 30 16:37:03 CET 2009
Klaus Darilion writes:
> Note: If you are using add_contact_alias() and handle_ruri_alias() this
> means that you are routing based on the alias parameter. Thus, make sure
> that an attacker can not spoof this paramter, e.g. screen the contact
> header and RURI for existing 'alias' parameters. Especially for initial
> requests make sure to route only on alias paramters which were added by
> your system.
klaus,
thanks for your comment and tests.
in the alias usage example that i gave, handle_ruri_alias() is only
called on in-dialog requests. so i don't see any bigger security issue
if r-uri uri has alias param than if it doesn't.
> Maybe add_contact_alias() should overwrite existing alias parameters?
my opinion on this is that if someone wants to shoot him/hershelf in the
foot, then be it.
-- juha
More information about the sr-dev
mailing list