[asterisk-bugs] [Asterisk 0016911]: [patch] Useful new wildcards to ease secure dialplans

Asterisk Bug Tracker noreply at bugs.digium.com
Mon Jul 26 15:08:45 CDT 2010 

The following issue has been ASSIGNED. 
====================================================================== 
https://issues.asterisk.org/view.php?id=16911 
====================================================================== 
Reported By:                Nick_Lewis
Assigned To:                lmadsen
====================================================================== 
Project:                    Asterisk
Issue ID:                   16911
Category:                   PBX/NewFeature
Reproducibility:            always
Severity:                   feature
Priority:                   normal
Status:                     confirmed
Asterisk Version:           SVN 
JIRA:                       SWP-1003 
Regression:                 No 
Reviewboard Link:            
SVN Branch (only for SVN checkouts, not tarball releases): N/A 
SVN Revision (number only!):  
Request Review:              
====================================================================== 
Date Submitted:             2010-02-26 06:02 CST
Last Modified:              2010-07-26 15:08 CDT
====================================================================== 
Summary:                    [patch] Useful new wildcards to ease secure
dialplans
Description: 
There are a couple of features of the "." wildcard that make the dialplan
vulnerable to attack.
(1) there is no restriction on the length of the extension that will match
on "." which increases the risk of trailing dialplan injections
(2) there is no restriction on the content of the trailing portion of the
exten/callerid

I propose a new wildcard "?" that matches on just one char which can be
used instead of the "." wildcard to limit the length. For example if the
pattern 
_123. 
were replaced with 
_123??????? 
it would limit the extension to a maximum of 10 characters.

I also propose a new wildcard "P" as a shorthand for [0-9a-zA-Z] which
simplifies the control of the chars used in an extension to exclude
punctuation. For example if the pattern 
_123??????? 
were replaced with 
_123PPPPPPP 
it would limit the trailing part of the extension to alphanumeric
characters only 

====================================================================== 

Issue History 
Date Modified    Username       Field                    Change               
====================================================================== 
2010-07-26 15:08 lmadsen        Assigned To               => lmadsen         
2010-07-26 15:08 lmadsen        Target Version           1.6.2.10 =>         
======================================================================

More information about the asterisk-bugs mailing list