10 Oct
2003
10 Oct
'03
5:50 a.m.
At 04:36 AM 10/10/2003, Greg Fausak wrote:
OK, so in the case of REGISTER I could
do a check_to() and a check_from(), since they
should all be equal. In case of an INVITE, just a check_from(),
right?
yes (I'm not sure check_from is necessary for REGISTER, but it can't
harm. The primary threat which you wish to avoid is "jiri" digest-wise
manipulating "greg"'s contacts through REGISTER's To. From does not
affect usrloc content.)
This makes sense why you do a check_to() after the
www_authorize(),
otherwise you wouldn't have the digest credentials.
Indeed -- verify credentials first, apply policy to them then.
-jiri