2 Jan
2019
2 Jan
'19
5:51 p.m.
Module: kamailio
Branch: master
Commit: d309e27b1aa35176e17e24542ffc2507cd17eb3e
URL: https://github.com/kamailio/kamailio/commit/d309e27b1aa35176e17e24542ffc250…
Author: Jose Luis Verdeguer <pepeluxx(a)gmail.com>
Committer: Jose Luis Verdeguer <pepeluxx(a)gmail.com>
Date: 2019-01-02T18:51:01+01:00
secfilter: in check sql injection function initialize str variables to NULL. In get values
from headers it is checked if From or To name is empty to avoid false positives
---
Modified: src/modules/secfilter/secfilter.c
Modified: src/modules/secfilter/secfilter_hdr.c
---
Diff:
https://github.com/kamailio/kamailio/commit/d309e27b1aa35176e17e24542ffc250…
Patch:
https://github.com/kamailio/kamailio/commit/d309e27b1aa35176e17e24542ffc250…
---
diff --git a/src/modules/secfilter/secfilter.c b/src/modules/secfilter/secfilter.c
index 5ec680d1b1..4816c4ad9d 100644
--- a/src/modules/secfilter/secfilter.c
+++ b/src/modules/secfilter/secfilter.c
@@ -131,10 +131,10 @@ PREVENT SQL INJECTION
/* External function to search for illegal characters in several headers */
static int w_check_sqli_all(struct sip_msg *msg)
{
- str ua;
- str name;
- str user;
- str domain;
+ str ua = STR_NULL;
+ str name = STR_NULL;
+ str user = STR_NULL;
+ str domain = STR_NULL;
int res;
int retval = 1;
diff --git a/src/modules/secfilter/secfilter_hdr.c
b/src/modules/secfilter/secfilter_hdr.c
index 5375d6ffff..1bb9ba1974 100644
--- a/src/modules/secfilter/secfilter_hdr.c
+++ b/src/modules/secfilter/secfilter_hdr.c
@@ -74,7 +74,7 @@ int secf_get_from(struct sip_msg *msg, str *name, str *user, str
*domain)
}
hdr = get_from(msg);
- if(hdr->display.s != NULL) {
+ if(hdr->display.s != NULL && hdr->display.len > 0) {
name->s = hdr->display.s;
name->len = hdr->display.len;
@@ -128,7 +128,7 @@ int secf_get_to(struct sip_msg *msg, str *name, str *user, str
*domain)
}
hdr = get_to(msg);
- if(hdr->display.s != NULL) {
+ if(hdr->display.s != NULL && hdr->display.len > 0) {
name->s = hdr->display.s;
name->len = hdr->display.len;