[sr-dev] git:master:d309e27b: secfilter: in check sql injection function initialize str variables to NULL. In get values from headers it is checked if From or To name is empty to avoid false positives

Jose Luis Verdeguer pepeluxx at gmail.com
Wed Jan 2 18:51:06 CET 2019


Module: kamailio
Branch: master
Commit: d309e27b1aa35176e17e24542ffc2507cd17eb3e
URL: https://github.com/kamailio/kamailio/commit/d309e27b1aa35176e17e24542ffc2507cd17eb3e

Author: Jose Luis Verdeguer <pepeluxx at gmail.com>
Committer: Jose Luis Verdeguer <pepeluxx at gmail.com>
Date: 2019-01-02T18:51:01+01:00

secfilter: in check sql injection function initialize str variables to NULL. In get values from headers it is checked if From or To name is empty to avoid false positives

---

Modified: src/modules/secfilter/secfilter.c
Modified: src/modules/secfilter/secfilter_hdr.c

---

Diff:  https://github.com/kamailio/kamailio/commit/d309e27b1aa35176e17e24542ffc2507cd17eb3e.diff
Patch: https://github.com/kamailio/kamailio/commit/d309e27b1aa35176e17e24542ffc2507cd17eb3e.patch

---

diff --git a/src/modules/secfilter/secfilter.c b/src/modules/secfilter/secfilter.c
index 5ec680d1b1..4816c4ad9d 100644
--- a/src/modules/secfilter/secfilter.c
+++ b/src/modules/secfilter/secfilter.c
@@ -131,10 +131,10 @@ PREVENT SQL INJECTION
 /* External function to search for illegal characters in several headers */
 static int w_check_sqli_all(struct sip_msg *msg)
 {
-	str ua;
-	str name;
-	str user;
-	str domain;
+	str ua = STR_NULL;
+	str name = STR_NULL;
+	str user = STR_NULL;
+	str domain = STR_NULL;
 	int res;
 	int retval = 1;
 
diff --git a/src/modules/secfilter/secfilter_hdr.c b/src/modules/secfilter/secfilter_hdr.c
index 5375d6ffff..1bb9ba1974 100644
--- a/src/modules/secfilter/secfilter_hdr.c
+++ b/src/modules/secfilter/secfilter_hdr.c
@@ -74,7 +74,7 @@ int secf_get_from(struct sip_msg *msg, str *name, str *user, str *domain)
 	}
 
 	hdr = get_from(msg);
-	if(hdr->display.s != NULL) {
+	if(hdr->display.s != NULL && hdr->display.len > 0) {
 		name->s = hdr->display.s;
 		name->len = hdr->display.len;
 
@@ -128,7 +128,7 @@ int secf_get_to(struct sip_msg *msg, str *name, str *user, str *domain)
 	}
 
 	hdr = get_to(msg);
-	if(hdr->display.s != NULL) {
+	if(hdr->display.s != NULL && hdr->display.len > 0) {
 		name->s = hdr->display.s;
 		name->len = hdr->display.len;
 




More information about the sr-dev mailing list