[Asterisk-code-review] Audit ast json pack() calls for needed UTF-8 checks. (asterisk[master])

Richard Mudgett asteriskteam at digium.com
Thu Oct 13 16:03:41 CDT 2016 

Richard Mudgett has uploaded a new change for review.

  https://gerrit.asterisk.org/4103

Change subject: Audit ast_json_pack() calls for needed UTF-8 checks.
......................................................................

Audit ast_json_pack() calls for needed UTF-8 checks.

Added needed UTF-8 checks before constructing json objects in various
files for strings obtained outside the system.  In this case string values
from a channel driver's peer and not from the user setting channel
variables.

* aoc.c: Fixed type mismatch in s_to_json() for time and granularity json
object construction.

ASTERISK-26466
Reported by: Richard Mudgett

Change-Id: Iac2d867fa598daba5c5dbc619b5464625a7f2096
---
M apps/app_fax.c
M apps/app_queue.c
M main/aoc.c
M main/cel.c
M res/res_fax.c
M res/stasis/app.c
6 files changed, 35 insertions(+), 30 deletions(-)


  git pull ssh://gerrit.asterisk.org:29418/asterisk refs/changes/03/4103/1

diff --git a/apps/app_fax.c b/apps/app_fax.c
index bf57d82..85b83cd 100644
--- a/apps/app_fax.c
+++ b/apps/app_fax.c
@@ -262,13 +262,13 @@
 	}
 	ast_json_ref(json_filenames);
 	json_object = ast_json_pack("{s: s, s: s, s: s, s: i, s: i, s: i, s: o}",
-			"type", s->direction ? "send" : "receive",
-			"remote_station_id", far_ident,
-			"local_station_id", local_ident,
-			"fax_pages", pages_transferred,
-			"fax_resolution", stat.y_resolution,
-			"fax_bitrate", stat.bit_rate,
-			"filenames", json_filenames);
+		"type", s->direction ? "send" : "receive",
+		"remote_station_id", ast_json_utf8_check(far_ident) ? far_ident : "",
+		"local_station_id", ast_json_utf8_check(local_ident) ? local_ident : "",
+		"fax_pages", pages_transferred,
+		"fax_resolution", stat.y_resolution,
+		"fax_bitrate", stat.bit_rate,
+		"filenames", json_filenames);
 	message = ast_channel_blob_create_from_cache(ast_channel_uniqueid(s->chan), ast_channel_fax_type(), json_object);
 	if (!message) {
 		return;
diff --git a/apps/app_queue.c b/apps/app_queue.c
index a023b88..e49d80c 100644
--- a/apps/app_queue.c
+++ b/apps/app_queue.c
@@ -5645,12 +5645,12 @@
 	}
 
 	blob = ast_json_pack("{s: s, s: s, s: s, s: i, s: i, s: s}",
-			     "Queue", queuename,
-			     "Interface", member->interface,
-			     "MemberName", member->membername,
-			     "HoldTime", (long)(callstart - holdstart),
-			     "TalkTime", (long)(time(NULL) - callstart),
-			     "Reason", reason);
+		"Queue", queuename,
+		"Interface", member->interface,
+		"MemberName", member->membername,
+		"HoldTime", (long)(callstart - holdstart),
+		"TalkTime", (long)(time(NULL) - callstart),
+		"Reason", reason ?: "");
 
 	queue_publish_multi_channel_snapshot_blob(ast_queue_topic(queuename), caller, peer,
 			queue_agent_complete_type(), blob);
diff --git a/main/aoc.c b/main/aoc.c
index cd9c461..92f7996 100644
--- a/main/aoc.c
+++ b/main/aoc.c
@@ -1656,8 +1656,10 @@
 static struct ast_json *currency_to_json(const char *name, int cost,
 					 enum ast_aoc_currency_multiplier mult)
 {
-	return ast_json_pack("{s:s, s:i, s:s}",	"Name", name,
-			     "Cost", cost, "Multiplier", aoc_multiplier_str(mult));
+	return ast_json_pack("{s:s, s:i, s:s}",
+		"Name", ast_json_utf8_check(name) ? name : "",
+		"Cost", cost,
+		"Multiplier", aoc_multiplier_str(mult));
 }
 
 static struct ast_json *charge_to_json(const struct ast_aoc_decoded *decoded)
@@ -1692,9 +1694,10 @@
 {
 	switch (decoded->charging_association.charging_type) {
 	case AST_AOC_CHARGING_ASSOCIATION_NUMBER:
-		return ast_json_pack(
-			"{s:s, s:i}",
-			"Number", decoded->charging_association.charge.number.number,
+		return ast_json_pack("{s:s, s:i}",
+			"Number",
+			ast_json_utf8_check(decoded->charging_association.charge.number.number)
+				? decoded->charging_association.charge.number.number : "",
 			"Plan", decoded->charging_association.charge.number.plan);
 	case AST_AOC_CHARGING_ASSOCIATION_ID:
 		return ast_json_pack(
@@ -1740,14 +1743,12 @@
 				decoded->aoc_s_entries[i].rate.duration.amount,
 				decoded->aoc_s_entries[i].rate.duration.multiplier);
 
-			time = ast_json_pack(
-				"{s:i, s:s}",
+			time = ast_json_pack("{s:i, s:i}",
 				"Length", decoded->aoc_s_entries[i].rate.duration.time,
 				"Scale", decoded->aoc_s_entries[i].rate.duration.time_scale);
 
 			if (decoded->aoc_s_entries[i].rate.duration.granularity_time) {
-				granularity = ast_json_pack(
-					"{s:i, s:s}",
+				granularity = ast_json_pack("{s:i, s:i}",
 					"Length", decoded->aoc_s_entries[i].rate.duration.granularity_time,
 					"Scale", decoded->aoc_s_entries[i].rate.duration.granularity_time_scale);
 			}
diff --git a/main/cel.c b/main/cel.c
index ad75c01..aafeea4 100644
--- a/main/cel.c
+++ b/main/cel.c
@@ -1237,10 +1237,10 @@
 
 	if (parked_payload->retriever) {
 		extra = ast_json_pack("{s: s, s: s}",
-			"reason", reason,
+			"reason", reason ?: "",
 			"retriever", parked_payload->retriever->name);
 	} else {
-		extra = ast_json_pack("{s: s}", "reason", reason);
+		extra = ast_json_pack("{s: s}", "reason", reason ?: "");
 	}
 
 	if (extra) {
diff --git a/res/res_fax.c b/res/res_fax.c
index b97f3eb..41effb8 100644
--- a/res/res_fax.c
+++ b/res/res_fax.c
@@ -1415,11 +1415,14 @@
 	}
 
 	json_object = ast_json_pack("{s: s, s: s, s: s, s: s, s: o}",
-			"type", "status",
-			"operation", (details->caps & AST_FAX_TECH_GATEWAY) ? "gateway" : (details->caps & AST_FAX_TECH_RECEIVE) ? "receive" : "send",
-			"status", status,
-			"local_station_id", details->localstationid,
-			"filenames", json_filenames);
+		"type", "status",
+		"operation", (details->caps & AST_FAX_TECH_GATEWAY)
+			? "gateway"
+			: (details->caps & AST_FAX_TECH_RECEIVE) ? "receive" : "send",
+		"status", status,
+		"local_station_id",
+		ast_json_utf8_check(details->localstationid) ? details->localstationid : "",
+		"filenames", json_filenames);
 	if (!json_object) {
 		return -1;
 	}
diff --git a/res/stasis/app.c b/res/stasis/app.c
index 6e5a396..505360a 100644
--- a/res/stasis/app.c
+++ b/res/stasis/app.c
@@ -455,7 +455,8 @@
 		"type", "ChannelDialplan",
 		"timestamp", ast_json_timeval(*tv, NULL),
 		"dialplan_app", new_snapshot->appl,
-		"dialplan_app_data", new_snapshot->data,
+		"dialplan_app_data",
+		ast_json_utf8_check(new_snapshot->data) ? new_snapshot->data : "",
 		"channel", json_channel);
 }
 

-- 
To view, visit https://gerrit.asterisk.org/4103
To unsubscribe, visit https://gerrit.asterisk.org/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: Iac2d867fa598daba5c5dbc619b5464625a7f2096
Gerrit-PatchSet: 1
Gerrit-Project: asterisk
Gerrit-Branch: master
Gerrit-Owner: Richard Mudgett <rmudgett at digium.com>

More information about the asterisk-code-review mailing list