<p>Benjamin Keith Ford <strong>submitted</strong> this change.</p><p><a href="https://gerrit.asterisk.org/c/asterisk/+/13286">View Change</a></p><div style="white-space:pre-wrap">Approvals:
Benjamin Keith Ford: Looks good to me, approved; Approved for Submit
</div><pre style="font-family: monospace,monospace; white-space: pre-wrap;">manager.c: Prevent the Originate action from running the Originate app<br><br>If an AMI user without the "system" authorization calls the<br>Originate AMI command with the Originate application,<br>the second Originate could run the "System" command.<br><br>Action: Originate<br>Channel: Local/1111<br>Application: Originate<br>Data: Local/2222,app,System,touch /tmp/owned<br><br>If the "system" authorization isn't set, we now block the<br>Originate app as well as the System, Exec, etc. apps.<br><br>ASTERISK-28580<br>Reported by: Eliel SardaƱons<br><br>Change-Id: Ic4c9dedc34c426f03c8c14fce334a71386d8a5fa<br>(cherry picked from commit 1b9281a5ded62e5d30af2959e5aa33bc5a0fc285)<br>---<br>A doc/UPGRADE-staging/AMI-Originate.txt<br>M main/manager.c<br>2 files changed, 6 insertions(+), 0 deletions(-)<br><br></pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;"><span>diff --git a/doc/UPGRADE-staging/AMI-Originate.txt b/doc/UPGRADE-staging/AMI-Originate.txt</span><br><span>new file mode 100644</span><br><span>index 0000000..f2d3133</span><br><span>--- /dev/null</span><br><span>+++ b/doc/UPGRADE-staging/AMI-Originate.txt</span><br><span>@@ -0,0 +1,5 @@</span><br><span style="color: hsl(120, 100%, 40%);">+Subject: AMI</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+The AMI Originate action, which optionally takes a dialplan application as</span><br><span style="color: hsl(120, 100%, 40%);">+an argument, no longer accepts "Originate" as the application due to</span><br><span style="color: hsl(120, 100%, 40%);">+security concerns.</span><br><span>diff --git a/main/manager.c b/main/manager.c</span><br><span>index 1df6765..b75cb55 100644</span><br><span>--- a/main/manager.c</span><br><span>+++ b/main/manager.c</span><br><span>@@ -5706,6 +5706,7 @@</span><br><span> EAGI(/bin/rm,-rf /) */</span><br><span> strcasestr(app, "mixmonitor") || /* MixMonitor(blah,,rm -rf) */</span><br><span> strcasestr(app, "externalivr") || /* ExternalIVR(rm -rf) */</span><br><span style="color: hsl(120, 100%, 40%);">+ strcasestr(app, "originate") || /* Originate(Local/1234,app,System,rm -rf) */</span><br><span> (strstr(appdata, "SHELL") && (bad_appdata = 1)) || /* NoOp(${SHELL(rm -rf /)}) */</span><br><span> (strstr(appdata, "EVAL") && (bad_appdata = 1)) /* NoOp(${EVAL(${some_var_containing_SHELL})}) */</span><br><span> )) {</span><br><span></span><br></pre><p>To view, visit <a href="https://gerrit.asterisk.org/c/asterisk/+/13286">change 13286</a>. To unsubscribe, or for help writing mail filters, visit <a href="https://gerrit.asterisk.org/settings">settings</a>.</p><div itemscope itemtype="http://schema.org/EmailMessage"><div itemscope itemprop="action" itemtype="http://schema.org/ViewAction"><link itemprop="url" href="https://gerrit.asterisk.org/c/asterisk/+/13286"/><meta itemprop="name" content="View Change"/></div></div>
<div style="display:none"> Gerrit-Project: asterisk </div>
<div style="display:none"> Gerrit-Branch: 13.29 </div>
<div style="display:none"> Gerrit-Change-Id: Ic4c9dedc34c426f03c8c14fce334a71386d8a5fa </div>
<div style="display:none"> Gerrit-Change-Number: 13286 </div>
<div style="display:none"> Gerrit-PatchSet: 1 </div>
<div style="display:none"> Gerrit-Owner: Benjamin Keith Ford <bford@digium.com> </div>
<div style="display:none"> Gerrit-Reviewer: Benjamin Keith Ford <bford@digium.com> </div>
<div style="display:none"> Gerrit-Reviewer: George Joseph <gjoseph@digium.com> </div>
<div style="display:none"> Gerrit-CC: Friendly Automation </div>
<div style="display:none"> Gerrit-MessageType: merged </div>