<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<font face="monospace">Hi Gregory,<br>
<br>
For the grammar of the SIP username, see the
<a class="moz-txt-link-freetext" href="https://www.ietf.org/rfc/rfc3261.html">https://www.ietf.org/rfc/rfc3261.html</a>, page 221 - you have all the
details there.<br>
<br>
For the contact test, yes, it should be correct.<br>
<br>
Regards,<br>
</font>
<pre class="moz-signature" cols="72">Bogdan-Andrei Iancu
OpenSIPS Founder and Developer
<a class="moz-txt-link-freetext" href="https://www.opensips-solutions.com">https://www.opensips-solutions.com</a>
<a class="moz-txt-link-freetext" href="https://www.siphub.com">https://www.siphub.com</a></pre>
<div class="moz-cite-prefix">On 05.12.2023 14:45, Gregory Massel
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:792aa98d-9e35-478a-b63e-50bc1d1a55d4@switchtel.co.za">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<p>Thank you Bogdan!</p>
<p>It's worth noting that, if using {s.escape.user}, it won't
detect a SQL injection, however, it may detect other potentially
problematic characters, so one then has to apply both checks
individually, e.g.</p>
<pre>if ( $fU != $(fU{s.escape.common}) || $tU != $(tU{s.escape.common}) ) {
xlog ("Rejecting SQL injection attempt received from $socket_in(proto):$si:$sp (Method: $rm; From: $fu; To: $tu; Contact: $ct).");
send_reply (403,"Forbidden");
exit;
}
if ( $fU != $(fU{s.escape.user}) || $tU != $(tU{s.escape.user}) ) {
xlog ("Rejecting request with unusual characters received from $socket_in(proto):$si:$sp (Method: $rm; From: $fu; To: $tu; Contact: $ct).");
send_reply (403,"Forbidden");
exit;
}</pre>
<p>So above doesn't block UTF-8; it just enforces that it must be
received from the client in fully escaped form.</p>
<p>I'm gathering that UTF-8 is actually acceptable for the user
part (and most other parts) of the URI, provided that it's
encoded with '%'? I work with purely ASCII user parts however,
out of interest, was wondering if it is allowable and/or
commonplace to use Unicode extended character sets for any
portions of the URI in parts of the world where other character
sets are more frequently used? From what I could find, it seems
that UTF16 is not allowed in the User Part and that the domain
would be internationalised using Punycode, so the full URI
should always be encoded in ASCII but with UTF-8 (but not
UTF-16) permitted in %-encoded form for the user part?</p>
<p>With respect to the Contact header, I'm struggling a bit. Is
the syntax below correct?<br>
</p>
<pre>if ( $(ct.fields(uri){uri.user}) != $(ct.fields(uri){uri.user}{s.escape.common}) ) {
send_reply (403,"Forbidden");
exit;
}
</pre>
<div class="moz-cite-prefix">-- <br>
<span style="font-size:11.0pt;font-family:Assistant;color:black">Thanks<br>
</span> <span
style="font-size:11pt;font-family:Assistant;color:#44546A"> <b>Gregory
Massel</b><br>
</span> <span
style="font-size:11.0pt;font-family:Assistant;color:#32444B">
</span></div>
<div class="moz-cite-prefix"><span
style="font-size:11.0pt;font-family:Assistant;color:#32444B"><br>
</span></div>
<div class="moz-cite-prefix">On 2023-12-05 11:33, Bogdan-Andrei
Iancu wrote:<br>
</div>
<blockquote type="cite"
cite="mid:7721d776-dcf5-4271-ae48-ef565b4e5569@opensips.org">
<meta http-equiv="Content-Type"
content="text/html; charset=UTF-8">
<font face="monospace">Hi Gregory,<br>
<br>
As it is said, there is no single way to skin the cat :). Your
approach is a valid one, by using the escaping transformation.
Maybe you should check the s.escape.user [1]. <br>
<br>
Such checks make sense when using avp_db_query(), so raw
queries. The internal queries (like auth, etc) are done via
prepared statements, so safe to injections.<br>
<br>
[1] <a class="moz-txt-link-freetext"
href="https://www.opensips.org/Documentation/Script-Tran-3-2#s.escape.user"
moz-do-not-send="true">https://www.opensips.org/Documentation/Script-Tran-3-2#s.escape.user</a><br>
<br>
Regards,<br>
</font>
<pre class="moz-signature" cols="72">Bogdan-Andrei Iancu
OpenSIPS Founder and Developer
<a class="moz-txt-link-freetext"
href="https://www.opensips-solutions.com" moz-do-not-send="true">https://www.opensips-solutions.com</a>
<a class="moz-txt-link-freetext" href="https://www.siphub.com"
moz-do-not-send="true">https://www.siphub.com</a></pre>
<div class="moz-cite-prefix">On 30.11.2023 02:34, Gregory Massel
via Users wrote:<br>
</div>
<blockquote type="cite"
cite="mid:d762af95-cf4a-4015-9a9c-1ce42d2cd0dc@switchtel.co.za">
<meta http-equiv="content-type"
content="text/html; charset=UTF-8">
<p>Hi all</p>
<p>I'm wondering what the best practice is in terms of
detection and dropping attempted SQL injection attacks?</p>
<p>Is something like the following adequate or can this be
enhanced:</p>
<pre>if ( $fU != $(fU{s.escape.common}) || $tU != $(tU{s.escape.common}) ) {
drop();
}
</pre>
<div class="moz-signature">Obviously this does not remove the
need to escape anything passed to avp_db_query(), however,
what I want to do is identify these sorts of attacks at the
top of the script and avoid processing.</div>
<div class="moz-signature"><br>
</div>
<div class="moz-signature">To date all the attacks I've seen
focus on the contact and from user, e.g.:</div>
<div class="moz-signature">
<pre>INVITE <a class="moz-txt-link-freetext"
href="sip:00111390237920793@x.x.x.x:5060;transport=UDP"
moz-do-not-send="true">sip:00111390237920793@x.x.x.x:5060;transport=UDP</a> SIP/2.0
Contact: <a class="moz-txt-link-rfc2396E"
href="sip:a'or'3=3--@x.x.x.x:5060;transport=UDP"
moz-do-not-send="true"><sip:a'or'3=3--@x.x.x.x:5060;transport=UDP></a>
To: <a class="moz-txt-link-rfc2396E"
href="sip:00111390237920793@x.x.x.x;transport=UDP"
moz-do-not-send="true"><sip:00111390237920793@x.x.x.x;transport=UDP></a>
From: <a class="moz-txt-link-rfc2396E"
href="sip:a'or'3=3--@x.x.x.x;transport=UDP"
moz-do-not-send="true"><sip:a'or'3=3--@x.x.x.x;transport=UDP></a>;tag=v2pjtxqb</pre>
</div>
<div class="moz-signature">I'm not quite sure how to match the
Contact user. Would the following work?</div>
<div class="moz-signature">
<pre>if ( $(ct.fields(uri){uri.user}) != $(ct.fields(uri){uri.user}{s.escape.common}) ) {
drop();
}
</pre>
</div>
<div class="moz-signature">-- <br>
<span
style="font-size:11.0pt;font-family:Assistant;color:black">Regards<br>
</span> <span
style="font-size:11pt;font-family:Assistant;color:#44546A">
<b>Gregory Massel</b></span><span
style="font-size:11.0pt;font-family:Assistant;color:#32444B"><br>
</span></div>
<br>
<fieldset class="moz-mime-attachment-header"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Users mailing list
<a class="moz-txt-link-abbreviated moz-txt-link-freetext"
href="mailto:Users@lists.opensips.org" moz-do-not-send="true">Users@lists.opensips.org</a>
<a class="moz-txt-link-freetext"
href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users"
moz-do-not-send="true">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a>
</pre>
</blockquote>
<br>
</blockquote>
<div class="moz-signature"><span
style="font-size:11.0pt;font-family:Assistant;color:#32444B"><br>
</span></div>
</blockquote>
<br>
</body>
</html>