The problem, as you well know, is that not having the check allows a user A to impersonate the identity of any other user B, as long as user A has his own valid credentials for himself.
-- This message was painstakingly thumbed out on my mobile, so apologies for brevity, errors, and general sloppiness. Alex Balashov - Principal Evariste Systems LLC 260 Peachtree Street NW Suite 2200 Atlanta, GA 30303 Tel: +1-678-954-0670 Fax: +1-404-961-1892 Web: http://www.evaristesys.com/ On Nov 14, 2011, at 9:00 PM, Juha Heinanen <[email protected]> wrote: > Daniel-Constantin Mierla writes: > >> auth: added new error code to auth API >> >> - AUTH_USER_MISMATCH = -8 -- to be returned when auth user mistmach >> from/to header user > > daniel, > > is this addition backwards compatible with current auth_db, i.e., is the > check on by default? > > i don't like it to be on by default, since in very common use cases, > from/to uri userpart does not match authentication username. for > example, from/to userpart could be an e.164 number +something, when auth > username could be a name. > > -- juha > > _______________________________________________ > sr-dev mailing list > [email protected] > http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev _______________________________________________ sr-dev mailing list [email protected] http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev
