Description

Our partner sending a call with this header

From:  "COVER JERRY & M" <sip:+12099283442@206.147.236.174:5060;otg=TLMNCAXFDS0_3887>;tag=gK0c7f90e2

According RFC3261

Several rules are incorporated from RFC 2396 [5] but are updated to
   make them compliant with RFC 2234 [10].  These include:

      reserved    =  ";" / "/" / "?" / ":" / "@" / "&" / "=" / "+"
                     / "$" / ","
      unreserved  =  alphanum / mark
      mark        =  "-" / "_" / "." / "!" / "~" / "*" / "'"
                     / "(" / ")"
      escaped     =  "%" HEXDIG HEXDIG

Also

   SIP follows the requirements and guidelines of RFC 2396 [5] when
   defining the set of characters that must be escaped in a SIP URI, and
   uses its ""%" HEX HEX" mechanism for escaping.  From RFC 2396 [5]:

      The set of characters actually reserved within any given URI
      component is defined by that component.  In general, a character
      is reserved if the semantics of the URI changes if the character
      is replaced with its escaped US-ASCII encoding [5].  Excluded US-
      ASCII characters (RFC 2396 [5]), such as space and control
      characters and characters used as URI delimiters, also MUST be
      escaped.  URIs MUST NOT contain unescaped space and control
      characters.

And

   Expanding the hname and hvalue tokens in Section 25 show that all URI
   reserved characters in header field names and values MUST be escaped.

For now, looks like the sanity module does not check reserver char usage.
This ticket was created to collect recommendations for feature implementation.

Should be checked headers?
Maybe a similar check is already present in the code and you can provide a reference?
Unscaped reserved char usage in "From", "To", "P-Asserted-Identity" and "Remote-Party-ID" for display name breaking SIP message (for example the "lost" module cannot parse properly "From" header). Should such be implemented in the Kamailio core also?

Expected behavior

One of these expected:

  1. Kamailio drop a message with reserved char usage in the header names and values. For TCP and TLS transport drop connection;
  2. sanity module allows checking reserved char usage in the header names and values.


Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you are subscribed to this thread.Message ID: <kamailio/kamailio/issues/3421@github.com>