10 Oct
2003
10 Oct
'03
2:50 a.m.
At 04:36 AM 10/10/2003, Greg Fausak wrote:
OK, so in the case of REGISTER I could do a check_to() and a check_from(), since they should all be equal. In case of an INVITE, just a check_from(), right?
yes (I'm not sure check_from is necessary for REGISTER, but it can't harm. The primary threat which you wish to avoid is "jiri" digest-wise manipulating "greg"'s contacts through REGISTER's To. From does not affect usrloc content.)
This makes sense why you do a check_to() after the www_authorize(), otherwise you wouldn't have the digest credentials.
Indeed -- verify credentials first, apply policy to them then.
-jiri