Klaus Darilion writes:
Note: If you are using add_contact_alias() and handle_ruri_alias() this means that you are routing based on the alias parameter. Thus, make sure that an attacker can not spoof this paramter, e.g. screen the contact header and RURI for existing 'alias' parameters. Especially for initial requests make sure to route only on alias paramters which were added by your system.
klaus,
thanks for your comment and tests.
in the alias usage example that i gave, handle_ruri_alias() is only called on in-dialog requests. so i don't see any bigger security issue if r-uri uri has alias param than if it doesn't.
Maybe add_contact_alias() should overwrite existing alias parameters?
my opinion on this is that if someone wants to shoot him/hershelf in the foot, then be it.
-- juha