### Description
`secf_check_sqli_all();` block requests when a single quote is present in From name : ``` From: "O'Reilly" sip:100@example.net;tag=abcd ```
Since single quotes are frequent in names.
It makes it difficult to use this function.
### Possible Solutions
A solution would be to skip single quote check in From name.
I'll write the PR if you are OK with this solution
I think the purpose of the secf_check_sqli_all() function is to prevent characters related to SQL injection, not to check for valid SIP syntax. In this context the filtering of single quotes is necessary. So this function is probably not useful for your purpose then. If you are concerned about blocking characters which are not valid according to the SIP grammar, you should use the sanity module.
Thomas, I think it might be interesting to avoid the check in the From Name, can you write the PR?
If you want to go for it, it probably make sense to adapt a flag based parameter for the check. Something like: - flag 1: skip From Name - flag 2: skip To Name - ..
Use e.g. like this: secf_check_sqli_all("3") to skip checking From and To Name.
Right now it is possible to check only some of the headers you are interested in using: secf_check_sqli_hdr($ua);
The function secf_check_sqli_all(); checks all the headers and, it is true that in the From Name header check, the double quotes are omitted, but I forgot to omit the single quotes, maybe because in my country it is not common to use it in the name.
I think it would be enough to omit the single quote in the From Name header. Also, we usually find SQL injections in the User, Domain fields and in the URI.
Ok, if its supposed to be excluded from the Name fields, then surely it just can be fixed. Would be probably good to add a sentence to the documentation about it that the Names are less thouroughly checked.
The function secf_check_sqli_all(); checks all the headers and, it is true that in the From Name header check, the double quotes are omitted, but I forgot to omit the single quotes, maybe because in my country it is not common to use it in the name.
Double quotes are ignored in From Name by the function `secf_get_from` only if they are located at the first or last position of the string. Appart from first and last chars, From Name is is checked with `sf_check_sqli` as other fields. Here I suggest to completly remove single quote check in From Name.
Are still OK to remove single quote check in From Name ? And maybe in To Name? Or do we need flags as proposed by @henningw earlier ?
I think in From Name you can only have double quotes at the beginning or at the end. That's why it is only checked in the first or last position. Maybe I'm wrong.
Imho you can remove single quotes in From Name, and you can apply the same rules, for single and double quotes, to To Name
This issue is stale because it has been open 6 weeks with no activity. Remove stale label or comment or this will be closed in 2 weeks.
Closed #3984 as not planned.
-
github-actions[bot] -
Henning Westerholt
-
Jose Luis Verdeguer
-
ThomasSevestre