[Freeswitch-users] patch for sofia_sip_i_invite to support replaces with action
Michael Jerris
mike at jerris.com
Wed Apr 22 18:33:42 MSD 2015
Sometimes the call is authenticated, sometimes not. Regardless, do you want any autheticated call to be able to run any arbitrary application including "system" on your switch?
> On Apr 22, 2015, at 9:47 AM, Luis Azedo <luis.azedo at factorlusitano.com> wrote:
>
> Couldn't this be a huge security vulnerability used to inject arbitrary commands into a session in FreeSWITCH?
>
>
> isn't the call authenticated first ? anyway, an option can be added to sip_profile to allow this.
>
> why don't you pass the call to mod_perl or Lua, and do all the
> necessary lookups in the script? This shpouldn;t be a big deal to
> implement, and much more safe than patching mod_sofia.
>
> not an option, but thanks for suggesting
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20150422/52f0fb41/attachment.html
Join us at ClueCon 2016 Aug 8-12, 2016
More information about the FreeSWITCH-users
mailing list