30 Dec
2009
30 Dec
'09
5:59 p.m.
Juha Heinanen schrieb:
Klaus Darilion writes:
That means in your example it is safe to do. But other people will use
(these useful functions) in different scenarios - e.g. adding the alias
on an outbound proxy before forwarding it the a main proxy - thus users
should be sensitive about security too - not only about functionality.
And IMO *ser* lacks documentation of secure configuration.
regards
klaus
Note: If you are using add_contact_alias() and
handle_ruri_alias() this
means that you are routing based on the alias parameter. Thus, make sure
that an attacker can not spoof this paramter, e.g. screen the contact
header and RURI for existing 'alias' parameters. Especially for initial
requests make sure to route only on alias paramters which were added by
your system.
klaus,
thanks for your comment and tests.
in the alias usage example that i gave, handle_ruri_alias() is only
called on in-dialog requests. so i don't see any bigger security issue
if r-uri uri has alias param than if it doesn't.