[asterisk-bugs] [Asterisk 0016911]: Useful new wildcards to ease secure dialplans
Asterisk Bug Tracker
noreply at bugs.digium.com
Fri Feb 26 06:02:31 CST 2010
The following issue has been SUBMITTED.
======================================================================
https://issues.asterisk.org/view.php?id=16911
======================================================================
Reported By: Nick_Lewis
Assigned To:
======================================================================
Project: Asterisk
Issue ID: 16911
Category: PBX/NewFeature
Reproducibility: always
Severity: feature
Priority: normal
Status: new
Asterisk Version: SVN
JIRA:
Regression: No
Reviewboard Link:
SVN Branch (only for SVN checkouts, not tarball releases): N/A
SVN Revision (number only!):
Request Review:
======================================================================
Date Submitted: 2010-02-26 06:02 CST
Last Modified: 2010-02-26 06:02 CST
======================================================================
Summary: Useful new wildcards to ease secure dialplans
Description:
There are a couple of features of the "." wildcard that make the dialplan
vulnerable to attack.
(1) there is no restriction on the length of the extension that will match
on "." which increases the risk of trailing dialplan injections
(2) there is no restriction on the content of the trailing portion of the
exten/callerid
I propose a new wildcard "?" that matches on just one char which can be
used instead of the "." wildcard to limit the length. For example if the
pattern
_123.
were replaced with
_123???????
it would limit the extension to a maximum of 10 characters.
I also propose a new wildcard "P" as a shorthand for [0-9a-zA-Z] which
simplifies the control of the chars used in an extension to exclude
punctuation. For example if the pattern
_123???????
were replaced with
_123PPPPPPP
it would limit the trailing part of the extension to alphanumeric
characters only
======================================================================
Issue History
Date Modified Username Field Change
======================================================================
2010-02-26 06:02 Nick_Lewis New Issue
2010-02-26 06:02 Nick_Lewis Asterisk Version => SVN
2010-02-26 06:02 Nick_Lewis Regression => No
2010-02-26 06:02 Nick_Lewis SVN Branch (only for SVN checkouts, not tarball
releases) => N/A
======================================================================
More information about the asterisk-bugs
mailing list