Hey!
I'm hunting down an issue with xavp_params_explode, maybe somebody has already come adross it and could confirm it exists and maybe know a solution?
xavp_params_explode("a=foo;c=hello,world;e=baar", "x");
$xavp(x=>a) is 'foo'
but x=>c and x=>e are null
Am I right to assume the issue being caused by the comma? Is there a way to allow a comma?
Hello,
On 12.01.24 11:01, Benoît Panizzon via sr-users wrote:
Hey!
I'm hunting down an issue with xavp_params_explode, maybe somebody has already come adross it and could confirm it exists and maybe know a solution?
xavp_params_explode("a=foo;c=hello,world;e=baar", "x");
$xavp(x=>a) is 'foo'
but x=>c and x=>e are null
Am I right to assume the issue being caused by the comma? Is there a way to allow a comma?
comma is not allowed in an unquoted value for SIP parameters because it is separator for header bodies that are set on the same header name. Practically the comma is the end of parameters list.
It should work with:
xavp_params_explode("a=foo;c="hello,world";e=baar", "x");
Cheers, Daniel
Hi Daniel
comma is not allowed in an unquoted value for SIP parameters because it is separator for header bodies that are set on the same header name. Practically the comma is the end of parameters list.
Thank you for your confirmation I was on the right track.
It should work with:
xavp_params_explode("a=foo;c="hello,world";e=baar", "x");
Any recipe on how to solve if the value is the 'authentication' password taken from the database? As far as I understood the SIP RFC a comma is permitted in the SIP password itself, as it is never present cleartext in a sip header.
Quick example of what I do when receiving a REGISTER with credentials to pull the password:
$var(query) = "select user,password,language from sometable where auth_user = '" + $var(auth_user) + "' limit 1"; $var(qresult) = sql_xquery("database", "$var(query)", "userdata"); xavp_params_implode("userdata","$var(xuserdata)");
$var(xuserdata) is "user=JohnDoe;password=secret,password;language=de_CH"
This is the stored in an $sht to be cached and available for a while and reducde SQL queries.
I guess there is no way to have sql_xquery automatically quote result fields that need quoting.
I could probably do select user,concat('"',password,'"'),language from sometable?
This could also be a potential issue with variable injections via SQL. Immagine some use sets a password ";var=value" this would lead to this var being overwritten I guess.
We are moving towards storing ha1 hashed passwords, so that would solve my issue I guess.
I used base64 encoding transformations to deal with these kinds of problems.
— Sent from mobile, apologies for brevity and errors.
On Jan 12, 2024, at 6:11 AM, Benoît Panizzon via sr-users sr-users@lists.kamailio.org wrote:
Hi Daniel
comma is not allowed in an unquoted value for SIP parameters because it is separator for header bodies that are set on the same header name. Practically the comma is the end of parameters list.
Thank you for your confirmation I was on the right track.
It should work with:
xavp_params_explode("a=foo;c="hello,world";e=baar", "x");
Any recipe on how to solve if the value is the 'authentication' password taken from the database? As far as I understood the SIP RFC a comma is permitted in the SIP password itself, as it is never present cleartext in a sip header.
Quick example of what I do when receiving a REGISTER with credentials to pull the password:
$var(query) = "select user,password,language from sometable where auth_user = '" + $var(auth_user) + "' limit 1"; $var(qresult) = sql_xquery("database", "$var(query)", "userdata"); xavp_params_implode("userdata","$var(xuserdata)");
$var(xuserdata) is "user=JohnDoe;password=secret,password;language=de_CH"
This is the stored in an $sht to be cached and available for a while and reducde SQL queries.
I guess there is no way to have sql_xquery automatically quote result fields that need quoting.
I could probably do select user,concat('"',password,'"'),language from sometable?
This could also be a potential issue with variable injections via SQL. Immagine some use sets a password ";var=value" this would lead to this var being overwritten I guess.
We are moving towards storing ha1 hashed passwords, so that would solve my issue I guess.
-- Mit freundlichen Grüssen
-Benoît Panizzon- @ HomeOffice und normal erreichbar
I m p r o W a r e A G - Leiter Commerce Kunden ______________________________________________________
Zurlindenstrasse 29 Tel +41 61 826 93 00 CH-4133 Pratteln Fax +41 61 826 93 01 Schweiz Web http://www.imp.ch ______________________________________________________ __________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions To unsubscribe send an email to sr-users-leave@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
Hello,
On 12.01.24 11:56, Benoît Panizzon wrote:
Hi Daniel
comma is not allowed in an unquoted value for SIP parameters because it is separator for header bodies that are set on the same header name. Practically the comma is the end of parameters list.
Thank you for your confirmation I was on the right track.
It should work with:
xavp_params_explode("a=foo;c="hello,world";e=baar", "x");
Any recipe on how to solve if the value is the 'authentication' password taken from the database? As far as I understood the SIP RFC a comma is permitted in the SIP password itself, as it is never present cleartext in a sip header.
Quick example of what I do when receiving a REGISTER with credentials to pull the password:
$var(query) = "select user,password,language from sometable where auth_user = '" + $var(auth_user) + "' limit 1"; $var(qresult) = sql_xquery("database", "$var(query)", "userdata"); xavp_params_implode("userdata","$var(xuserdata)");
$var(xuserdata) is "user=JohnDoe;password=secret,password;language=de_CH"
This is the stored in an $sht to be cached and available for a while and reducde SQL queries.
I guess there is no way to have sql_xquery automatically quote result fields that need quoting.
I could probably do select user,concat('"',password,'"'),language from sometable?
This could also be a potential issue with variable injections via SQL. Immagine some use sets a password ";var=value" this would lead to this var being overwritten I guess.
We are moving towards storing ha1 hashed passwords, so that would solve my issue I guess.
the devel version has a new function to implode with values between quotes:
- https://www.kamailio.org/docs/modules/devel/modules/pv.html#pv.f.xavp_params...
If you expect any kind of characters, maybe hexa/base32/base64 encoding/decoding is a variant to explore.
Cheers, Daniel
-
Alex Balashov -
Benoît Panizzon -
Daniel-Constantin Mierla