On 12/13/06 17:37, Klaus Darilion wrote:
Juha Heinanen wrote:
Klaus Darilion writes:
> Today I found out that openser does not unescape the escaped
characters > when parsing the message. Thus, it is easy to bypass
typical routing > logic by escaping the digits, e.g.
> > if (uri =~ "^sip:0900.*") {
> sl_send_reply("403","sex hotlines are not allowed");
> exit;
> }
> > can be tricked by calling sip:%30900...
yes, if you accept % character in your r-uri to pstn.
> Shouldn't we unescape the message when parsing?
this has been discussed a few times before. i have suggested that we
should unescape characters at least in r-uri when request is received
and then escape them back when request is sent out.
I agree with you - the parameters which will be used for routing
(matching against regexp or simple if conditions) IMO MUST be
unescaped to avoid bypassing the check.
Bogdan, Daniel - what do you think?
yes, this should be done, but the case Klaus pointed can have escaped
digits -- in this case I would say not to escape them back (allowed
characters should not be escaped back).
Cheers,
Daniel
regards
klaus
_______________________________________________
Devel mailing list
[email protected]
http://openser.org/cgi-bin/mailman/listinfo/devel
