[asterisk-bugs] [JIRA] (ASTERISK-25996) Remove "live_dangerously" requirement on DB(read)
George Joseph (JIRA)
noreply at issues.asterisk.org
Wed May 4 15:58:56 CDT 2016
[ https://issues.asterisk.org/jira/browse/ASTERISK-25996?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=230502#comment-230502 ]
George Joseph commented on ASTERISK-25996:
------------------------------------------
I can reproduce this issue but the fix might not be so simple.
The restriction on DB(read) is for any AMI call, probably to prevent the use of SetVar/GetVar. Unfortunately, the pbx_functions that implement this can't tell the difference between DB being called via GetVar/SetVar directly from AMI and DB being called from the dialplan because ExtensionState was called from AMI. The former can be construed as a security risk but the latter, should not.
> Remove "live_dangerously" requirement on DB(read)
> -------------------------------------------------
>
> Key: ASTERISK-25996
> URL: https://issues.asterisk.org/jira/browse/ASTERISK-25996
> Project: Asterisk
> Issue Type: Bug
> Security Level: None
> Components: Core/General, Core/SQLite3
> Affects Versions: 11.21.2, 13.8.2
> Reporter: Andrew Nagy
> Severity: Minor
>
> Please Remove the "live_dangerously" requirement on DB(read). This unintentionally breaks AMI commands like extensionState when calling dynamic hints based on DB values.
> EG:
> {code}
> exten => _*992*3*X.,1,Hangup
> exten => _*992*3*X.,hint,${DB(restapps/hints/conference/${EXTEN:7})}
> {code}
> {code}
> freepbxdev1*CLI> database show restapps/hints/conference
> /restapps/hints/conference/1000 : confbridge:81000&confbridge:81001
> {code}
> When I run extensionState over the AMI against "*992*3*1000" the DB read command is blocked because it's "dangerous"
> {code}
> dangerous DB read operation blocked
> {code}
> I don't think a DB read at a hint level should be blocked. Furthermore requiring "live_dangerously" to make this even work is even scarier (and something I don't want to entertain :-) )
> Some history:
> {quote}
> 1:34 PM <tm1000> if a phone subscribes to said hint instead it works.
> 1:35 PM <tm1000> its just if I asked for the hint through extensionState first before the phone ever did the hint is effectively broken forever
> 1:35 PM <gtjoseph> so you're getting the “dangerous DB read operation blocked" when calling ExtensionState??
> 1:36 PM <gtjoseph> maybe i need to test again with a pattern match.
> 1:36 PM <gtjoseph> because i get no attempt to even call the DB function
> 1:37 PM <@file> for pattern matches the act of requesting or subscribing will in and of itself create a specific hint and evaluate the passed variables/contents
> 1:37 PM <gtjoseph> yeah, i dimly remember that
> 1:40 PM <gtjoseph> ok, it works with DB(read) allowed in AMI.
> 1:41 PM <gtjoseph> tm1000: can you open a separate issue to remove the "live_dangerously" restriction on DB(read)?
> 1:45 PM <tm1000> gtjoseph: sure
> 1:45 PM <tm1000> anything you want me to put in the ticket specifically?
> 1:46 PM <gtjoseph> just the requirement. not sure how to do it securely.
> {quote}
--
This message was sent by Atlassian JIRA
(v6.2#6252)
More information about the asterisk-bugs
mailing list