[asterisk-bugs] [JIRA] (ASTERISK-24934) [patch]Asterisk manager output does not escape control characters

Kevin Harwell (JIRA) noreply at issues.asterisk.org
Wed May 13 13:46:32 CDT 2015 

     [ https://issues.asterisk.org/jira/browse/ASTERISK-24934?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Kevin Harwell reassigned ASTERISK-24934:
----------------------------------------

    Assignee: Kevin Harwell

> [patch]Asterisk manager output does not escape control characters
> -----------------------------------------------------------------
>
>                 Key: ASTERISK-24934
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-24934
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>          Components: Core/ManagerInterface
>    Affects Versions: 11.17.0, 12.8.1, 13.3.0
>         Environment: Tested on most recent asterisk 11 branch
>            Reporter: warren smith
>            Assignee: Kevin Harwell
>         Attachments: asterisk_manager_escaped_output.patch
>
>
> Asterisk manager output is created using printf formatting, like:
> manager_event(SOME_EVENT_FLAG, "EventName",
>     "KeyOne: %s\r\nKeyTwo: %s\r\n", val1, val2);
> This causes problems when the values themselves contain control characters like carriage return and newline, so that applications parsing the output will interpret this as a new key, or the end of an event.  An example of this is having a callerid contain "\r\n\r\n".  This ends the event, and the keys for the same event are interpreted as a new message, and any keys below are missed for the real event.
> I've included a patch that provides a ast_escape_c() function which takes a string, then returns a pointer to a new string that has the c characters escaped (i.e., newline into \n).  I've modified the calls to the manager_event functions (manager_event, ast_manager_event, ast_manager_event_multichan) so that values that could be set by a user are escaped.  The string values that as far as I know aren't user-created were left as-is, like channel names and uniqueid.
> There are quite a few calls to the manager event functions and I've double checked to make sure all memory allocations are freed after creating the escaped string.  I also had added an ast_replace_string function which i didn't end up using, and added an ast_escape_output function which just calls ast_escape_c.  An alternative would be to replace the sequence "\r\n" with the escaped version, rather than the individual characters.
> I'm testing on our asterisk 11 install and this fixes the parsing bugs we run into from messed up callerids and things like agent names containing return + newline.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

More information about the asterisk-bugs mailing list