30 Dec
2009
30 Dec
'09
5:37 p.m.
Klaus Darilion writes:
Note: If you are using add_contact_alias() and
handle_ruri_alias() this
means that you are routing based on the alias parameter. Thus, make sure
that an attacker can not spoof this paramter, e.g. screen the contact
header and RURI for existing 'alias' parameters. Especially for initial
requests make sure to route only on alias paramters which were added by
your system.
klaus,
thanks for your comment and tests.
in the alias usage example that i gave, handle_ruri_alias() is only
called on in-dialog requests. so i don't see any bigger security issue
if r-uri uri has alias param than if it doesn't.
Maybe add_contact_alias() should overwrite existing
alias parameters?
my opinion on this is that if someone wants to shoot him/hershelf in the
foot, then be it.
-- juha