[sr-dev] git:sr_3.0: modules_k/nathelper: handle_uri_alias() alias handling fix
Klaus Darilion
klaus.mailinglists at pernau.at
Wed Dec 30 16:59:08 CET 2009
Juha Heinanen schrieb:
> Klaus Darilion writes:
>
> > Note: If you are using add_contact_alias() and handle_ruri_alias() this
> > means that you are routing based on the alias parameter. Thus, make sure
> > that an attacker can not spoof this paramter, e.g. screen the contact
> > header and RURI for existing 'alias' parameters. Especially for initial
> > requests make sure to route only on alias paramters which were added by
> > your system.
>
> klaus,
>
> thanks for your comment and tests.
>
> in the alias usage example that i gave, handle_ruri_alias() is only
> called on in-dialog requests. so i don't see any bigger security issue
> if r-uri uri has alias param than if it doesn't.
That means in your example it is safe to do. But other people will use
(these useful functions) in different scenarios - e.g. adding the alias
on an outbound proxy before forwarding it the a main proxy - thus users
should be sensitive about security too - not only about functionality.
And IMO *ser* lacks documentation of secure configuration.
regards
klaus
More information about the sr-dev
mailing list