Hello,

On 12.01.24 11:56, Benoît Panizzon wrote:
Hi Daniel
 

comma is not allowed in an unquoted value for SIP parameters because
it is separator for header bodies that are set on the same header
name. Practically the comma is the end of parameters list.

Thank you for your confirmation I was on the right track.


It should work with:

xavp_params_explode("a=foo;c=\"hello,world\";e=baar", "x");

Any recipe on how to solve if the value is the 'authentication'
password taken from the database? As far as I understood the SIP RFC a
comma is permitted in the SIP password itself, as it is never present
cleartext in a sip header.

Quick example of what I do when receiving a REGISTER with credentials to pull the password:

$var(query) = "select user,password,language from sometable where auth_user = '" + $var(auth_user) + "' limit 1";
$var(qresult) = sql_xquery("database", "$var(query)", "userdata");
xavp_params_implode("userdata","$var(xuserdata)");

$var(xuserdata) is "user=JohnDoe;password=secret,password;language=de_CH"

This is the stored in an $sht to be cached and available for a while and reducde SQL queries.

I guess there is no way to have sql_xquery automatically quote result fields that need quoting.

I could probably do select user,concat('"',password,'"'),language from sometable?

This could also be a potential issue with variable injections via SQL. Immagine some use sets a password ";var=value" this would lead to this var being overwritten I guess.

We are moving towards storing ha1 hashed passwords, so that would solve my issue I guess.

the devel version has a new function to implode with values between quotes:

  - https://www.kamailio.org/docs/modules/devel/modules/pv.html#pv.f.xavp_params_implode_qval

If you expect any kind of characters, maybe hexa/base32/base64 encoding/decoding is a variant to explore.

Cheers, Daniel 

-- 
Daniel-Constantin Mierla (@ asipto.com)
twitter.com/miconda -- linkedin.com/in/miconda
Kamailio Consultancy, Training and Development Services -- asipto.com
Kamailio Advanced Training, February 20-22, 2024 -- asipto.com
Kamailio World Conference, April 18-19, 2024, Berlin -- kamailioworld.com