Re-used processes don't require login
Bug #1227273 reported by
Thomas Berezansky
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
SIPServer |
Fix Released
|
High
|
Unassigned |
Bug Description
When a new connection gets a process that had previously logged in the client can skip the login process entirely and continue on as though they were the previous user on that process.
I have an apparently working fix in the new SIPServer security repo (<email address hidden>
Changed in sipserver: | |
status: | Fix Committed → Fix Released |
To post a comment you must log in.
I've reproduced the problem (by running a SIP server that has max_servers set to 1) and successfully tested Thomas's patch.
I've pushed a signed-off version of it to security/ reset_account_ info_signedoff along with a follow-up that does two things:
- makes explicit the already implicit requirement that 93 be the first message presented when using the raw transport
- tweak the logging for clients that break that convention -- hopefully this will make it easier to identify clients that don't attempt to log in first.