[Kamailio-Users] uac_replace_from check

Juha Heinanen jh at tutpro.com
Wed Apr 1 09:05:51 CEST 2009


Juha Heinanen writes:

 > does the module check that reply to the request from uas really includes
 > the added parameter in its r-r header or is correct operation of
 > in-dialog requests at the mercy of the uas?

answering to myself, i read the source code and looks like
restore_from_reply function does not check that the r-r param that was
added when request was processed, was copied by uas to the reply or that
the reply contains the r-r header that the proxy added to the
request.

isn't this a security risk?  even without the from replacing business,
shouldn't proxy ALWAYS check that the reply contains the r-r header that
it added?  if it does not, the uac can be fooled to send in-dialog
requests to somewhere else (unless it is configured to always use this
proxy as its next hop).

so if proxy receives a request that contains a (possibly missing) r-r
header:

r-r: a,b

and it adds itself (c) there

r-r: a,b,c

when reply comes back, shouldn't the proxy check that the r-r header in
the reply starts with

r-r: a,b,c

if not, what am i missing here?

-- juha




More information about the sr-users mailing list