OK, so in the case of REGISTER I could do a check_to() and a check_from(), since they should all be equal. In case of an INVITE, just a check_from(), right?
This makes sense why you do a check_to() after the www_authorize(), otherwise you wouldn't have the digest credentials.
Thanks !
---greg
if use_uri_table is set, then the username/digest_id is checked against a white-list of valid combinations in database. For example user with id "mrpoliceman" can be allowed to have "mrpoliceman" and "911" in URIs.
If unset, username is checked against digest_id. "mrpoliceman" can only have "mrpoliceman" in URIs. No database lookep is carried out.
At iptel, we deploy the latter simple policy:
if (method=="REGISTER") { if (!www_authorize("iptel.org", "subscriber")) { # challenge if none or invalid credentials www_challenge("iptel.org", "0"); break; }; if (!check_to()) { log("LOG: To Cheating attempt\n"); sl_send_reply("403", "That is ugly -- use To=id in REGISTERs"); break; };
(If you try to login at iptel with Messenger and specify different URI from digest identity, you will get 403)
The table-driven policy is good if subscribers may have various appearances.
-jiri
At 04:13 AM 10/10/2003, Greg Fausak wrote:
I've run into a problem (again) where I'm worried about the
registration
and invite identity. I've got the appropriate check_from() which verifies that the from uri contains a user in the subscriber table.
The README in uri :
1.4.3. check_from()
Check From username against URI table or digest credentials.
I can't tell from the description if this means that *any* user will work? Can the user in the from() field be different that the user in the digest credentials? How can I be sure that the from matches the credentials?
---greg
Serusers mailing list serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
-- Jiri Kuthan http://iptel.org/~jiri/