[asterisk-bugs] [JIRA] (ASTERISK-22905) Prevent Asterisk functions that are 'dangerous' from being executed from external interfaces

Matt Jordan (JIRA) noreply at issues.asterisk.org
Thu Feb 6 17:01:12 CST 2014


     [ https://issues.asterisk.org/jira/browse/ASTERISK-22905?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Matt Jordan updated ASTERISK-22905:
-----------------------------------

    Target Release Version/s: 11.8.0
    
> Prevent Asterisk functions that are 'dangerous' from being executed from external interfaces
> --------------------------------------------------------------------------------------------
>
>                 Key: ASTERISK-22905
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-22905
>             Project: Asterisk
>          Issue Type: Bug
>          Components: Core/General, Core/ManagerInterface, Functions/General, Resources/res_agi, Resources/res_ari
>    Affects Versions: 12.0.0-beta1
>            Reporter: Matt Jordan
>            Assignee: David M. Lee
>              Labels: Security
>      Target Release: 1.8.24.1, 1.8.26.0, 10.12.4, 10.12.4-digiumphones, 11.6.1, 11.8.0
>
>         Attachments: live-dangerously-12-2.diff, live-dangerously-12.diff, live-dangerously-1.8.diff
>
>
> The way Asterisk handles functions during variable substitution makes it inherently dangerous for certain functions to be loaded in Asterisk.
> For example, having the SHELL function loaded means anyone using AMI/AGI/ARI can use the function as part of a variable set/get action. The fact that such execution can be embedded in fairly complex ways means that there's no concrete way of preventing said function execution unless the system fundamentally prevents it.
> This issue proposes the following:
> # Modify function registration such that a function can register itself as 'unsafe'. Unsafe functions can be executed from the dialplan (you're in Asterisk, after all), but not from external interfaces during variable substitution/evaluation.
> # When AMI/ARI/AGI calls a {{pbx}} function to evaluate a variable, the call should not to the pbx core that the call is coming from an external system. Function evaluation should not occur if the function being evaluated was marked as unsafe.
> # To override this behavior, a new {{asterisk.conf}} parameter should be added ({{live_dangerously}}?) that lets the evaluation take place regardless. This preserves the behavior in prior versions (in case people actually want to use SHELL from AMI).
> This behavior should be introduced in Asterisk 12 - there's not much sense in introducing this midstream into Asterisk 1.8 or 11, as AMI already contains rudimentary protections for these functions.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.asterisk.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira



More information about the asterisk-bugs mailing list