[asterisk-bugs] [Asterisk 0016911]: [patch] Useful new wildcards to ease secure dialplans

Asterisk Bug Tracker noreply at bugs.digium.com
Mon Jun 7 10:54:47 CDT 2010


A NOTE has been added to this issue. 
====================================================================== 
https://issues.asterisk.org/view.php?id=16911 
====================================================================== 
Reported By:                Nick_Lewis
Assigned To:                
====================================================================== 
Project:                    Asterisk
Issue ID:                   16911
Category:                   PBX/NewFeature
Reproducibility:            always
Severity:                   feature
Priority:                   normal
Status:                     confirmed
Target Version:             1.6.2.10
Asterisk Version:           SVN 
JIRA:                       SWP-1003 
Regression:                 No 
Reviewboard Link:            
SVN Branch (only for SVN checkouts, not tarball releases): N/A 
SVN Revision (number only!):  
Request Review:              
====================================================================== 
Date Submitted:             2010-02-26 06:02 CST
Last Modified:              2010-06-07 10:54 CDT
====================================================================== 
Summary:                    [patch] Useful new wildcards to ease secure
dialplans
Description: 
There are a couple of features of the "." wildcard that make the dialplan
vulnerable to attack.
(1) there is no restriction on the length of the extension that will match
on "." which increases the risk of trailing dialplan injections
(2) there is no restriction on the content of the trailing portion of the
exten/callerid

I propose a new wildcard "?" that matches on just one char which can be
used instead of the "." wildcard to limit the length. For example if the
pattern 
_123. 
were replaced with 
_123??????? 
it would limit the extension to a maximum of 10 characters.

I also propose a new wildcard "P" as a shorthand for [0-9a-zA-Z] which
simplifies the control of the chars used in an extension to exclude
punctuation. For example if the pattern 
_123??????? 
were replaced with 
_123PPPPPPP 
it would limit the trailing part of the extension to alphanumeric
characters only 

====================================================================== 

---------------------------------------------------------------------- 
 (0123059) Nick_Lewis (reporter) - 2010-06-07 10:54
 https://issues.asterisk.org/view.php?id=16911#c123059 
---------------------------------------------------------------------- 
I see that the target version has slipped. Would it help if this were to go
to the reviewboard? 

Issue History 
Date Modified    Username       Field                    Change               
====================================================================== 
2010-06-07 10:54 Nick_Lewis     Note Added: 0123059                          
======================================================================




More information about the asterisk-bugs mailing list