Hello,
On 12.01.24 11:56, Benoît Panizzon wrote:
> Hi Daniel
>
>> comma is not allowed in an unquoted value for SIP parameters because
>> it is separator for header bodies that are set on the same header
>> name. Practically the comma is the end of parameters list.
> Thank you for your confirmation I was on the right track.
>
>> It should work with:
>>
>> xavp_params_explode("a=foo;c=\"hello,world\";e=baar", "x");
> Any recipe on how to solve if the value is the 'authentication'
> password taken from the database? As far as I understood the SIP RFC a
> comma is permitted in the SIP password itself, as it is never present
> cleartext in a sip header.
>
> Quick example of what I do when receiving a REGISTER with credentials to pull
> the password:
>
> $var(query) = "select user,password,language from sometable where auth_user =
> '" + $var(auth_user) + "' limit 1";
> $var(qresult) = sql_xquery("database", "$var(query)", "userdata");
> xavp_params_implode("userdata","$var(xuserdata)");
>
> $var(xuserdata) is "user=JohnDoe;password=secret,password;language=de_CH"
>
> This is the stored in an $sht to be cached and available for a while and
> reducde SQL queries.
>
> I guess there is no way to have sql_xquery automatically quote result fields
> that need quoting.
>
> I could probably do select user,concat('"',password,'"'),language from
> sometable?
>
> This could also be a potential issue with variable injections via SQL.
> Immagine some use sets a password ";var=value" this would lead to this var
> being overwritten I guess.
>
> We are moving towards storing ha1 hashed passwords, so that would solve my
> issue I guess.
the devel version has a new function to implode with values between quotes:
-
https://www.kamailio.org/docs/modules/devel/modules/pv.html#pv.f.xavp_params_implode_qval
If you expect any kind of characters, maybe hexa/base32/base64
encoding/decoding is a variant to explore.
Cheers, Daniel
--
Daniel-Constantin Mierla (@ asipto.com)
twitter.com/miconda -- linkedin.com/in/miconda
Kamailio Consultancy, Training and Development Services -- asipto.com
Kamailio Advanced Training, February 20-22, 2024 -- asipto.com
Kamailio World Conference, April 18-19, 2024, Berlin -- kamailioworld.com
__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions
To unsubscribe send an email to [email protected]
Important: keep the mailing list in the recipients, do not reply only to the
sender!
Edit mailing list options or unsubscribe:
