| Summary: | ASTERISK-25339: res_pjsip: Empty "auth" sections from non-config backgrounds are interpreted as valid | ||
| Reporter: | Matt Jordan (mjordan) | Labels: | |
| Date Opened: | 2015-08-23 18:39:05 | Date Closed: | 2015-08-24 14:01:39 |
| Priority: | Major | Regression? | |
| Status: | Closed/Complete | Components: | Resources/res_pjsip |
| Versions: | Frequency of Occurrence | ||
| Related Issues: | |||
| Environment: | Attachments: | ||
| Description: | When using a non-static conf file backend, a non-existant {{auth}} parameter will be stored as an empty value. This causes {{res_pjsip}} to assume that an empty {{auth}} value was provided, which causes the endpoint to believe that it should authenticate inbound requests, even though no {{auth}} section exists for its empty {{auth}} value.
As an example, consider the following: {code} [res_pjsip] endpoint=astdb,ps_endpoints {code} When an endpoint is created via ARI, it will be stored in the database on something like the following: {code} /ps_endpoints/endpoint/foo : {"send_diversion":"true","device_state_busy_at":"0","direct_media_method":"invite","sdp_owner":"foo","pickup_group":"","timers_sess_expires":"1800","message_context":"","accountcode":"","dtls_fingerprint":"SHA-256","rpid_immediate":"false","force_avp":"false","aors":"foo","trust_id_inbound":"false","ice_support":"false","fax_detect":"false","outbound_proxy":"","t38_udptl_maxdatagram":"0","direct_media_glare_mitigation":"none","dtls_rekey":"0","context":"from-external","media_encryption_optimistic":"false","named_pickup_group":"","from_domain":"","mailboxes":"","sdp_session":"foo","rtp_timeout":"30","identify_by":"username","t38_udptl":"false","send_rpid":"false","rtp_engine":"asterisk","t38_udptl_ec":"none","dtls_verify":"No","aggregate_mwi":"true","moh_suggest":"default","media_encryption":"no","callerid":"<unknown>","named_call_group":"","record_on_feature":"automixmon","dtls_setup":"active","inband_progress":"false","timers_min_se":"90","tos_video":"0","rtp_symmetric":"true","rtp_ipv6":"false","record_off_feature":"automixmon","rtp_keepalive":"30","transport":"","t38_udptl_nat":"false","connected_line_method":"invite","allow_transfer":"true","allow_subscribe":"true","srtp_tag_32":"false","g726_non_standard":"false","100rel":"yes","use_avpf":"false","call_group":"","user_eq_phone":"false","allow":"(ulaw|alaw)","sub_min_expiry":"0","force_rport":"true","direct_media":"true","tos_audio":"0","use_ptime":"false","rtp_timeout_hold":"0","dtmf_mode":"rfc4733","media_use_received_transport":"false","language":"","mwi_from_user":"","one_touch_recording":"false","cos_video":"0","rewrite_contact":"false","cos_audio":"0","t38_udptl_ipv6":"false","trust_id_outbound":"false","tone_zone":"","from_user":"","disable_direct_media_on_nat":"false","media_address":"","timers":"yes","send_pai":"false","callerid_privacy":"allowed_not_screened"} {code} Note that the {{auth}} value is blank. This will be interpreted by {{res_pjsip}} as being a valid auth object, which doesn't exist. The desired behaviour is that we just don't authenticate inbound requests. | ||
| Comments: | |||