On 01/09/15 10:08, Daniel Tryba wrote:
> On Tuesday 01 September 2015 08:58:30 Daniel-Constantin Mierla wrote:
>> if($rd!=$fd) {
>> send_reply("403", "Call outside the domain");
>> exit;
>> }
> What is stopping from people from setting $fd to the desired domain? Isn't
> $ad
> a better var. for this since it isn't dependend on user supplied data (well
> it
> is but then authenication will fail). Otherwise $fd should be used for
> authentication challenge/response.
The From domain is used to fetch the password along with the
authentication username, so should be safe, because if the user uses the
wrong domain, it won't get the password from db.
The authorization header might not carry any domain for the user, a
quick look at the source, $ad is pointing to the domain part of the
username attribute in the authorization header. From my experience,
username without domain in authorization header is the common.
Also, there should be checks that should not allow a From address that
is not associated with the authentication username, with kamailio
default config we enforce that From username is same as auth username.
Cheers,
Daniel
--
Daniel-Constantin Mierla
http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda
Book: SIP Routing With Kamailio - http://www.asipto.com
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users@lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
