[asterisk-dev] [Code Review] Limit addition of Contact header in SIP responses

Klaus Darilion klaus.mailinglists at pernau.at
Thu Feb 5 23:36:37 CST 2009 

Hi!

Maybe related to this:

1. In responses Asterisk uses the userpart of the RURI as userpart of 
the returned contact.

2. In requests, Asterisk uses CALLERID(num) as userpart of the announced 
contact.

IMO there is no need to put this kind information into the Contact - 
especially in the 1. case. For example you have a proxy in front of 
Asterisk which rewrites the URI to match the dialplan of the Asterisk 
server. Then the user can find out the dialed number at the Asterisk 
server by looking at the Contact header. This makes it easier for 
attackers to target the Asterisk server.

Further, from SIP point of view there is no need to use a userpart in 
the Contact URI at all (except for outgoing registrations) - dialog 
matching is done with fromtag, totag and callid.

Thus, IMO the userpart of the contact should be replaced by either a 
random string or use a contact URI without a userpart.

regards
klaus



Matthew Nicholson schrieb:
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> http://reviewboard.digium.com/r/141/
> -----------------------------------------------------------
> 
> Review request for Asterisk Developers.
> 
> 
> Summary
> -------
> 
> This patch ensures that asterisk does not include the 'Contact' header in responses unless it is necessary (according to various SIP RFCs).
> 
> 
> This addresses bug 13602.
>     http://bugs.digium.com/view.php?id=13602
> 
> 
> Diffs
> -----
> 
>   /branches/1.4/channels/chan_sip.c 165953 
> 
> Diff: http://reviewboard.digium.com/r/141/diff
> 
> 
> Testing
> -------
> 
> I lightly tested this with ekiga using the REGISTER, INVITE, SUBSCRIBE, and BYE methods.
> 
> 
> Thanks,
> 
> Matthew
> 
> 
> _______________________________________________
> --Bandwidth and Colocation Provided by http://www.api-digital.com--
> 
> asterisk-dev mailing list
> To UNSUBSCRIBE or update options visit:
>    http://lists.digium.com/mailman/listinfo/asterisk-dev

More information about the asterisk-dev mailing list