Re-used processes don't require login
Bug #1227273 reported by
Thomas Berezansky
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| SIPServer |
Fix Released
|
High
|
Unassigned | ||
Bug Description
When a new connection gets a process that had previously logged in the client can skip the login process entirely and continue on as though they were the previous user on that process.
I have an apparently working fix in the new SIPServer security repo (<email address hidden>
Revision history for this message
| Galen Charlton (gmc) wrote | #2 |
Revision history for this message
| Bill Erickson (berick) wrote | #3 |
Revision history for this message
| Galen Charlton (gmc) wrote | #4 |
| information type: | Private Security → Public |
| Changed in sipserver: | |
| status: | New → Fix Committed |
| Changed in sipserver: | |
| status: | Fix Committed → Fix Released |
To post a comment you must log in.
I've reproduced the problem (by running a SIP server that has max_servers set to 1) and successfully tested Thomas's patch.
I've pushed a signed-off version of it to security/
- makes explicit the already implicit requirement that 93 be the first message presented when using the raw transport
- tweak the logging for clients that break that convention -- hopefully this will make it easier to identify clients that don't attempt to log in first.