首頁 探索 說明
登入
Kamailio
/
kamailio
镜像来自 https://github.com/kamailio/kamailio.git
2
0
複刻 0
檔案 問題管理 0 Wiki
瀏覽代碼

secfilter: in check sql injection function initialize str variables to NULL. In get values from headers it is checked if From or To name is empty to avoid false positives

Jose Luis Verdeguer 6 年之前
父節點
6cb53228ff
當前提交
d309e27b1a
共有 2 個文件被更改,包括 6 次插入6 次删除
分割檢視 顯示文件統計
  1. 4 4
      src/modules/secfilter/secfilter.c
  2. 2 2
      src/modules/secfilter/secfilter_hdr.c

+ 4 - 4
src/modules/secfilter/secfilter.c
查看文件 

@@ -131,10 +131,10 @@ PREVENT SQL INJECTION
 
 /* External function to search for illegal characters in several headers */
 
 static int w_check_sqli_all(struct sip_msg *msg)
 
 {
 
-	str ua;
 
-	str name;
 
-	str user;
 
-	str domain;
 
+	str ua = STR_NULL;
 
+	str name = STR_NULL;
 
+	str user = STR_NULL;
 
+	str domain = STR_NULL;
 
 	int res;
 
 	int retval = 1;

+ 2 - 2
src/modules/secfilter/secfilter_hdr.c
查看文件 

@@ -74,7 +74,7 @@ int secf_get_from(struct sip_msg *msg, str *name, str *user, str *domain)
 
 	}
 
 
 	hdr = get_from(msg);
 
-	if(hdr->display.s != NULL) {
 
+	if(hdr->display.s != NULL && hdr->display.len > 0) {
 
 		name->s = hdr->display.s;
 
 		name->len = hdr->display.len;
 
 
@@ -128,7 +128,7 @@ int secf_get_to(struct sip_msg *msg, str *name, str *user, str *domain)
 
 	}
 
 
 	hdr = get_to(msg);
 
-	if(hdr->display.s != NULL) {
 
+	if(hdr->display.s != NULL && hdr->display.len > 0) {
 
 		name->s = hdr->display.s;
 
 		name->len = hdr->display.len;