[asterisk-bugs] [JIRA] (ASTERISK-22900) chan_sip miss parsed realm, if contain @ character

Matt Jordan (JIRA) noreply at issues.asterisk.org
Mon Nov 25 09:16:03 CST 2013 

    [ https://issues.asterisk.org/jira/browse/ASTERISK-22900?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=212208#comment-212208 ] 

Matt Jordan commented on ASTERISK-22900:
----------------------------------------

While the patch is correct - we should certainly be separating the username portion (which includes the secret) from the realm by splitting the string at the first occurrence of '@' as opposed to the last - I'm a bit concerned that not all callers of {{add_realm_authentication}} will have properly escaped the '@' character from the username. In particular, people who had previously defined a SIP peer with the following:

{noformat}
auth=mark:top at secret@digium.com
{noformat}

Would have had their authentication "work" (or at the least, it would have correctly split out the realm from the username portion), even if it is incorrect to contain an unescaped '@' character in the username portion.

I don't see {{chan_sip}} escaping the username/password portion at any point where it uses the authentication information, so providing an unescaped '@' in the password would most likely break regardless. However, given how finicky URI parsing can be, I'd prefer there to be some amount of testing done on this patch before it goes in.


                
> chan_sip miss parsed realm, if contain @ character
> --------------------------------------------------
>
>                 Key: ASTERISK-22900
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-22900
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>          Components: Channels/chan_sip/Interoperability
>    Affects Versions: 11.6.0
>         Environment: Fedora 19
>            Reporter: adomjan
>         Attachments: chan_sip.c-fix_at_in_realm.patch
>
>
> The sip proxy use srxadmin at localhost realm.
> in sip.conf
> auth => user:secret at srxadmin@localhost
> asterisk parse localhost as realm.
> According:
> http://tools.ietf.org/html/rfc2617#section-3.2.1
> the @ character permited in realm string.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.asterisk.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the asterisk-bugs mailing list