Juha Heinanen schrieb:
Klaus Darilion writes:
Note: If you are using add_contact_alias() and handle_ruri_alias() this means that you are routing based on the alias parameter. Thus, make sure that an attacker can not spoof this paramter, e.g. screen the contact header and RURI for existing 'alias' parameters. Especially for initial requests make sure to route only on alias paramters which were added by your system.
klaus,
thanks for your comment and tests.
in the alias usage example that i gave, handle_ruri_alias() is only called on in-dialog requests. so i don't see any bigger security issue if r-uri uri has alias param than if it doesn't.
That means in your example it is safe to do. But other people will use (these useful functions) in different scenarios - e.g. adding the alias on an outbound proxy before forwarding it the a main proxy - thus users should be sensitive about security too - not only about functionality. And IMO *ser* lacks documentation of secure configuration.
regards klaus