[asterisk-bugs] [Asterisk 0016911]: Useful new wildcards to ease secure dialplans

Asterisk Bug Tracker noreply at bugs.digium.com
Fri Feb 26 06:02:31 CST 2010 

The following issue has been SUBMITTED. 
====================================================================== 
https://issues.asterisk.org/view.php?id=16911 
====================================================================== 
Reported By:                Nick_Lewis
Assigned To:                
====================================================================== 
Project:                    Asterisk
Issue ID:                   16911
Category:                   PBX/NewFeature
Reproducibility:            always
Severity:                   feature
Priority:                   normal
Status:                     new
Asterisk Version:           SVN 
JIRA:                        
Regression:                 No 
Reviewboard Link:            
SVN Branch (only for SVN checkouts, not tarball releases): N/A 
SVN Revision (number only!):  
Request Review:              
====================================================================== 
Date Submitted:             2010-02-26 06:02 CST
Last Modified:              2010-02-26 06:02 CST
====================================================================== 
Summary:                    Useful new wildcards to ease secure dialplans
Description: 
There are a couple of features of the "." wildcard that make the dialplan
vulnerable to attack.
(1) there is no restriction on the length of the extension that will match
on "." which increases the risk of trailing dialplan injections
(2) there is no restriction on the content of the trailing portion of the
exten/callerid

I propose a new wildcard "?" that matches on just one char which can be
used instead of the "." wildcard to limit the length. For example if the
pattern 
_123. 
were replaced with 
_123??????? 
it would limit the extension to a maximum of 10 characters.

I also propose a new wildcard "P" as a shorthand for [0-9a-zA-Z] which
simplifies the control of the chars used in an extension to exclude
punctuation. For example if the pattern 
_123??????? 
were replaced with 
_123PPPPPPP 
it would limit the trailing part of the extension to alphanumeric
characters only 

====================================================================== 

Issue History 
Date Modified    Username       Field                    Change               
====================================================================== 
2010-02-26 06:02 Nick_Lewis     New Issue                                    
2010-02-26 06:02 Nick_Lewis     Asterisk Version          => SVN             
2010-02-26 06:02 Nick_Lewis     Regression                => No              
2010-02-26 06:02 Nick_Lewis     SVN Branch (only for SVN checkouts, not tarball
releases) => N/A             
======================================================================

More information about the asterisk-bugs mailing list