[asterisk-bugs] [JIRA] (ASTERISK-15699) [patch] Useful new wildcards to ease secure dialplans
Leif Madsen (JIRA)
noreply at issues.asterisk.org
Thu Apr 21 14:30:56 CDT 2016
[ https://issues.asterisk.org/jira/browse/ASTERISK-15699?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Leif Madsen closed ASTERISK-15699.
----------------------------------
Resolution: Suspended
Pretty sure this never moves forward, so I'm closing it out.
> [patch] Useful new wildcards to ease secure dialplans
> -----------------------------------------------------
>
> Key: ASTERISK-15699
> URL: https://issues.asterisk.org/jira/browse/ASTERISK-15699
> Project: Asterisk
> Issue Type: New Feature
> Components: PBX/NewFeature
> Reporter: nick_lewis
> Assignee: Leif Madsen
> Attachments: pbx.c-onecharwildcards2.patch, pbx.c-onecharwildcards.patch
>
>
> There are a couple of features of the "." wildcard that make the dialplan vulnerable to attack.
> (1) there is no restriction on the length of the extension that will match on "." which increases the risk of trailing dialplan injections
> (2) there is no restriction on the content of the trailing portion of the exten/callerid
> I propose a new wildcard "?" that matches on just one char which can be used instead of the "." wildcard to limit the length. For example if the pattern
> _123.
> were replaced with
> _123???????
> it would limit the extension to a maximum of 10 characters.
> I also propose a new wildcard "P" as a shorthand for [0-9a-zA-Z] which simplifies the control of the chars used in an extension to exclude punctuation. For example if the pattern
> _123???????
> were replaced with
> _123PPPPPPP
> it would limit the trailing part of the extension to alphanumeric characters only
--
This message was sent by Atlassian JIRA
(v6.2#6252)
More information about the asterisk-bugs
mailing list