[SR-Users] Re: xavp_params_explode broken comma in value?

Fri, 12 Jan 2024 02:59:52 -0800 

Hi Daniel
 
> comma is not allowed in an unquoted value for SIP parameters because
> it is separator for header bodies that are set on the same header
> name. Practically the comma is the end of parameters list.

Thank you for your confirmation I was on the right track.

> It should work with:
> 
> xavp_params_explode("a=foo;c=\"hello,world\";e=baar", "x");

Any recipe on how to solve if the value is the 'authentication'
password taken from the database? As far as I understood the SIP RFC a
comma is permitted in the SIP password itself, as it is never present
cleartext in a sip header.

Quick example of what I do when receiving a REGISTER with credentials to pull 
the password:

$var(query) = "select user,password,language from sometable where auth_user = 
'" + $var(auth_user) + "' limit 1";
$var(qresult) = sql_xquery("database", "$var(query)", "userdata");
xavp_params_implode("userdata","$var(xuserdata)");

$var(xuserdata) is "user=JohnDoe;password=secret,password;language=de_CH"

This is the stored in an $sht to be cached and available for a while and 
reducde SQL queries.

I guess there is no way to have sql_xquery automatically quote result fields 
that need quoting.

I could probably do select user,concat('"',password,'"'),language from 
sometable?

This could also be a potential issue with variable injections via SQL. Immagine 
some use sets a password ";var=value" this would lead to this var being 
overwritten I guess.

We are moving towards storing ha1 hashed passwords, so that would solve my 
issue I guess.

-- 
Mit freundlichen Grüssen

-Benoît Panizzon- @ HomeOffice und normal erreichbar
-- 
I m p r o W a r e   A G    -    Leiter Commerce Kunden
______________________________________________________

Zurlindenstrasse 29             Tel  +41 61 826 93 00
CH-4133 Pratteln                Fax  +41 61 826 93 01
Schweiz                         Web  http://www.imp.ch
______________________________________________________
__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions
To unsubscribe send an email to [email protected]
Important: keep the mailing list in the recipients, do not reply only to the 
sender!
Edit mailing list options or unsubscribe:

Reply via email to