[asterisk-bugs] [JIRA] (ASTERISK-24934) [patch]Asterisk manager output does not escape control characters
Asterisk Team (JIRA)
noreply at issues.asterisk.org
Wed Jul 27 10:22:06 CDT 2016
[ https://issues.asterisk.org/jira/browse/ASTERISK-24934?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Asterisk Team updated ASTERISK-24934:
-------------------------------------
Target Release Version/s: 14.0.0
> [patch]Asterisk manager output does not escape control characters
> -----------------------------------------------------------------
>
> Key: ASTERISK-24934
> URL: https://issues.asterisk.org/jira/browse/ASTERISK-24934
> Project: Asterisk
> Issue Type: Bug
> Security Level: None
> Components: Core/ManagerInterface
> Affects Versions: 11.17.0, 12.8.1, 13.3.0
> Environment: Tested on most recent asterisk 11 branch
> Reporter: warren smith
> Assignee: Kevin Harwell
> Target Release: 13.5.0, 14.0.0
>
> Attachments: asterisk_manager_escaped_output.patch
>
>
> Asterisk manager output is created using printf formatting, like:
> manager_event(SOME_EVENT_FLAG, "EventName",
> "KeyOne: %s\r\nKeyTwo: %s\r\n", val1, val2);
> This causes problems when the values themselves contain control characters like carriage return and newline, so that applications parsing the output will interpret this as a new key, or the end of an event. An example of this is having a callerid contain "\r\n\r\n". This ends the event, and the keys for the same event are interpreted as a new message, and any keys below are missed for the real event.
> I've included a patch that provides a ast_escape_c() function which takes a string, then returns a pointer to a new string that has the c characters escaped (i.e., newline into \n). I've modified the calls to the manager_event functions (manager_event, ast_manager_event, ast_manager_event_multichan) so that values that could be set by a user are escaped. The string values that as far as I know aren't user-created were left as-is, like channel names and uniqueid.
> There are quite a few calls to the manager event functions and I've double checked to make sure all memory allocations are freed after creating the escaped string. I also had added an ast_replace_string function which i didn't end up using, and added an ast_escape_output function which just calls ast_escape_c. An alternative would be to replace the sequence "\r\n" with the escaped version, rather than the individual characters.
> I'm testing on our asterisk 11 install and this fixes the parsing bugs we run into from messed up callerids and things like agent names containing return + newline.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
More information about the asterisk-bugs
mailing list