[asterisk-commits] murf: branch murf/bug11210 r104075 - in /team/murf/bug11210: ./ channels/ doc...

SVN commits to the Asterisk project asterisk-commits at lists.digium.com
Sat Feb 23 20:43:32 CST 2008


Author: murf
Date: Sat Feb 23 20:43:31 2008
New Revision: 104075

URL: http://svn.digium.com/view/asterisk?view=rev&rev=104075
Log:
Merged revisions 104031,104036,104038-104039,104045 via svnmerge from 
https://origsvn.digium.com/svn/asterisk/trunk

................
r104031 | russell | 2008-02-21 14:27:24 -0700 (Thu, 21 Feb 2008) | 1 line

fix a typo
................
r104036 | tilghman | 2008-02-22 15:39:21 -0700 (Fri, 22 Feb 2008) | 7 lines

Allow database password to be NULL and several other cleanups.
(closes issue #12048)
 Reported by: bukaj
 Patches: 
       20080222__bug12048.diff.txt uploaded by Corydon76 (license 14)
 Tested by: bukaj

................
r104038 | tilghman | 2008-02-22 15:48:18 -0700 (Fri, 22 Feb 2008) | 14 lines

Merged revisions 104037 via svnmerge from 
https://origsvn.digium.com/svn/asterisk/branches/1.4

........
r104037 | tilghman | 2008-02-22 16:45:14 -0600 (Fri, 22 Feb 2008) | 6 lines

Backwards debug message.
(closes issue #12052)
 Reported by: flefoll
 Patches: 
       chan_sip.c.br14.patch_found-notfound uploaded by flefoll (license 244)

........

................
r104039 | tilghman | 2008-02-22 15:55:35 -0700 (Fri, 22 Feb 2008) | 2 lines

Move Originate to a separate privilege and require the additional System privilege to call out to a subshell.

................
r104045 | dbailey | 2008-02-22 16:56:55 -0700 (Fri, 22 Feb 2008) | 2 lines

Add protection to chan_zap build when NEONMWI events are not defined

................

Modified:
    team/murf/bug11210/   (props changed)
    team/murf/bug11210/CHANGES
    team/murf/bug11210/UPGRADE.txt
    team/murf/bug11210/channels/chan_sip.c
    team/murf/bug11210/channels/chan_zap.c
    team/murf/bug11210/configure
    team/murf/bug11210/configure.ac
    team/murf/bug11210/doc/manager_1_1.txt
    team/murf/bug11210/include/asterisk/manager.h
    team/murf/bug11210/main/manager.c
    team/murf/bug11210/res/res_config_pgsql.c

Propchange: team/murf/bug11210/
------------------------------------------------------------------------------
Binary property 'branch-1.4-merged' - no diff available.

Propchange: team/murf/bug11210/
------------------------------------------------------------------------------
--- svnmerge-integrated (original)
+++ svnmerge-integrated Sat Feb 23 20:43:31 2008
@@ -1,1 +1,1 @@
-/trunk:1-104029
+/trunk:1-104066

Modified: team/murf/bug11210/CHANGES
URL: http://svn.digium.com/view/asterisk/team/murf/bug11210/CHANGES?view=diff&rev=104075&r1=104074&r2=104075
==============================================================================
--- team/murf/bug11210/CHANGES (original)
+++ team/murf/bug11210/CHANGES Sat Feb 23 20:43:31 2008
@@ -48,6 +48,9 @@
   * Updated action newcat to allow new category to be inserted in file above another
     existing category.
   * Added new event "JitterBufStats" in the IAX2 channel
+  * Originate now requires the Originate privilege and, if you want to call out
+    to a subshell, it requires the System privilege, as well.  This was done to
+    enhance manager security.
 
 Dialplan functions
 ------------------

Modified: team/murf/bug11210/UPGRADE.txt
URL: http://svn.digium.com/view/asterisk/team/murf/bug11210/UPGRADE.txt?view=diff&rev=104075&r1=104074&r2=104075
==============================================================================
--- team/murf/bug11210/UPGRADE.txt (original)
+++ team/murf/bug11210/UPGRADE.txt Sat Feb 23 20:43:31 2008
@@ -178,3 +178,6 @@
    change your manager.conf to add the level to existing AMI users, if they
    want to see the CDR events generated.
 
+* The Originate command now requires the Originate write permission.  For
+   Originate with the Application parameter, you need the additional System
+   privilege if you want to do anything that calls out to a subshell.

Modified: team/murf/bug11210/channels/chan_sip.c
URL: http://svn.digium.com/view/asterisk/team/murf/bug11210/channels/chan_sip.c?view=diff&rev=104075&r1=104074&r2=104075
==============================================================================
--- team/murf/bug11210/channels/chan_sip.c (original)
+++ team/murf/bug11210/channels/chan_sip.c Sat Feb 23 20:43:31 2008
@@ -3205,7 +3205,7 @@
 			break;
 		}
 	}
-	ast_debug(1, "(Provisional) Stopping retransmission (but retaining packet) on '%s' %s %d: %s\n", p->callid, resp ? "Response" : "Request", seqno, res ? "Not Found" : "Found");
+	ast_debug(1, "(Provisional) Stopping retransmission (but retaining packet) on '%s' %s %d: %s\n", p->callid, resp ? "Response" : "Request", seqno, res == -1 ? "Not Found" : "Found");
 	return res;
 }
 

Modified: team/murf/bug11210/channels/chan_zap.c
URL: http://svn.digium.com/view/asterisk/team/murf/bug11210/channels/chan_zap.c?view=diff&rev=104075&r1=104074&r2=104075
==============================================================================
--- team/murf/bug11210/channels/chan_zap.c (original)
+++ team/murf/bug11210/channels/chan_zap.c Sat Feb 23 20:43:31 2008
@@ -7313,8 +7313,10 @@
 			res = zt_get_event(mtd->pvt->subs[SUB_REAL].zfd);
 
 			switch (res) {
+#ifdef HAVE_ZAPTEL_NEONMWI
 			case ZT_EVENT_NEONMWI_ACTIVE:
 			case ZT_EVENT_NEONMWI_INACTIVE:
+#endif
 			case ZT_EVENT_NONE:
 			case ZT_EVENT_BITSCHANGED:
 				break;
@@ -7639,6 +7641,7 @@
 				i->channel);
 		zap_destroy_channel_bynum(i->channel);
 		break;
+#ifdef HAVE_ZAPTEL_NEONMWI
 	case ZT_EVENT_NEONMWI_ACTIVE:
 		if (i->mwimonitor_neon) {
 			notify_message(i->mailbox, 1);
@@ -7651,6 +7654,7 @@
 			ast_log(LOG_NOTICE, "NEON MWI cleared for channel %d, mailbox %s\n", i->channel, i->mailbox);
 		}
 		break;
+#endif
 	}
 	return 0;
 }

Modified: team/murf/bug11210/configure.ac
URL: http://svn.digium.com/view/asterisk/team/murf/bug11210/configure.ac?view=diff&rev=104075&r1=104074&r2=104075
==============================================================================
--- team/murf/bug11210/configure.ac (original)
+++ team/murf/bug11210/configure.ac Sat Feb 23 20:43:31 2008
@@ -254,6 +254,7 @@
 AST_EXT_LIB_SETUP([ZAPTEL_TRANSCODE], [Zaptel Transcoder Support], [zaptel_transcode])
 AST_EXT_LIB_SETUP([ZAPTEL_VLDTMF], [Zaptel VLDTMF Support], [zaptel_vldtmf])
 AST_EXT_LIB_SETUP([ZAPTEL_HWGAIN], [Zaptel Hardware Gain Support], [zaptel_hwgain])
+AST_EXT_LIB_SETUP([ZAPTEL_NEONMWI], [Zaptel Neon MWI Support], [zaptel_neonmwi])
 AST_EXT_LIB_SETUP([ZAPTEL_ECHOCANPARAMS], [Zaptel Echo Canceler Parameter Support], [zaptel_echocanparams])
 AST_EXT_LIB_SETUP([ZAPTEL_CHANALARMS], [Zaptel Channel Alarm Support], [zaptel_chanalarms])
 
@@ -1430,6 +1431,9 @@
 # Check for hwgain support
 AST_C_DEFINE_CHECK([ZAPTEL_HWGAIN], [ZT_SET_HWGAIN], [zaptel/zaptel.h])
 
+# Check for neon mwi support
+AST_C_DEFINE_CHECK([ZAPTEL_NEONMWI], [ZT_EVENT_NEONMWI_ACTIVE], [zaptel/zaptel.h])
+
 # Check for channel alarm support
 AST_C_COMPILE_CHECK([ZAPTEL_CHANALARMS], [size_t foo = sizeof(struct zt_params_v1)], [zaptel/zaptel.h])
 

Modified: team/murf/bug11210/doc/manager_1_1.txt
URL: http://svn.digium.com/view/asterisk/team/murf/bug11210/doc/manager_1_1.txt?view=diff&rev=104075&r1=104074&r2=104075
==============================================================================
--- team/murf/bug11210/doc/manager_1_1.txt (original)
+++ team/murf/bug11210/doc/manager_1_1.txt Sat Feb 23 20:43:31 2008
@@ -114,6 +114,11 @@
 	Added new headers for SayEnvelope, SayCID, AttachMessage, CanReview
         and CallOperator voicemail configuration settings.
 
+- Action Originate
+	Now requires the new Originate privilege.
+	If you call out to a subshell in Originate with the Application parameter,
+		you now also need the System privilege.
+
 * NEW ACTIONS
 -------------
 - Action: ModuleLoad

Modified: team/murf/bug11210/include/asterisk/manager.h
URL: http://svn.digium.com/view/asterisk/team/murf/bug11210/include/asterisk/manager.h?view=diff&rev=104075&r1=104074&r2=104075
==============================================================================
--- team/murf/bug11210/include/asterisk/manager.h (original)
+++ team/murf/bug11210/include/asterisk/manager.h Sat Feb 23 20:43:31 2008
@@ -69,6 +69,7 @@
 #define EVENT_FLAG_REPORTING		(1 << 9) /* Reporting events such as rtcp sent */
 #define EVENT_FLAG_CDR			(1 << 10) /* CDR events */
 #define EVENT_FLAG_DIALPLAN		(1 << 11) /* Dialplan events (VarSet, NewExten) */
+#define EVENT_FLAG_ORIGINATE	(1 << 12) /* Originate a call to an extension */
 /*@} */
 
 /*! \brief Export manager structures */

Modified: team/murf/bug11210/main/manager.c
URL: http://svn.digium.com/view/asterisk/team/murf/bug11210/main/manager.c?view=diff&rev=104075&r1=104074&r2=104075
==============================================================================
--- team/murf/bug11210/main/manager.c (original)
+++ team/murf/bug11210/main/manager.c Sat Feb 23 20:43:31 2008
@@ -328,6 +328,7 @@
 	{ EVENT_FLAG_REPORTING, "reporting" },
 	{ EVENT_FLAG_CDR, "cdr" },
 	{ EVENT_FLAG_DIALPLAN, "dialplan" },
+	{ EVENT_FLAG_ORIGINATE, "originate" },
 	{ -1, "all" },
 	{ 0, "none" },
 };
@@ -2156,8 +2157,23 @@
 			}
 		}
 	} else if (!ast_strlen_zero(app)) {
+		/* To run the System application (or anything else that goes to shell), you must have the additional System privilege */
+		if (!(s->writeperm & EVENT_FLAG_SYSTEM)
+			&& (
+				strcasestr(app, "system") == 0 || /* System(rm -rf /)
+				                                     TrySystem(rm -rf /)       */
+				strcasestr(app, "exec") ||        /* Exec(System(rm -rf /))
+				                                     TryExec(System(rm -rf /)) */
+				strcasestr(app, "agi") ||         /* AGI(/bin/rm,-rf /)
+				                                     EAGI(/bin/rm,-rf /)       */
+				strstr(appdata, "SHELL") ||       /* NoOp(${SHELL(rm -rf /)})  */
+				strstr(appdata, "EVAL")           /* NoOp(${EVAL(${some_var_containing_SHELL})}) */
+				)) {
+			astman_send_error(s, m, "Originate with certain 'Application' arguments requires the additional System privilege, which you do not have.");
+			return 0;
+		}
 		res = ast_pbx_outgoing_app(tech, AST_FORMAT_SLINEAR, data, to, app, appdata, &reason, 1, l, n, vars, account, NULL);
-    	} else {
+	} else {
 		if (exten && context && pi)
 			res = ast_pbx_outgoing_exten(tech, AST_FORMAT_SLINEAR, data, to, context, exten, pi, &reason, 1, l, n, vars, account, NULL);
 		else {
@@ -3641,7 +3657,7 @@
 		ast_manager_register2("CreateConfig", EVENT_FLAG_CONFIG, action_createconfig, "Creates an empty file in the configuration directory", mandescr_createconfig);
 		ast_manager_register2("ListCategories", EVENT_FLAG_CONFIG, action_listcategories, "List categories in configuration file", mandescr_listcategories);
 		ast_manager_register2("Redirect", EVENT_FLAG_CALL, action_redirect, "Redirect (transfer) a call", mandescr_redirect );
-		ast_manager_register2("Originate", EVENT_FLAG_CALL, action_originate, "Originate Call", mandescr_originate);
+		ast_manager_register2("Originate", EVENT_FLAG_ORIGINATE, action_originate, "Originate Call", mandescr_originate);
 		ast_manager_register2("Command", EVENT_FLAG_COMMAND, action_command, "Execute Asterisk CLI Command", mandescr_command );
 		ast_manager_register2("ExtensionState", EVENT_FLAG_CALL | EVENT_FLAG_REPORTING, action_extensionstate, "Check Extension Status", mandescr_extensionstate );
 		ast_manager_register2("AbsoluteTimeout", EVENT_FLAG_SYSTEM | EVENT_FLAG_CALL, action_timeout, "Set Absolute Timeout", mandescr_timeout );

Modified: team/murf/bug11210/res/res_config_pgsql.c
URL: http://svn.digium.com/view/asterisk/team/murf/bug11210/res/res_config_pgsql.c?view=diff&rev=104075&r1=104074&r2=104075
==============================================================================
--- team/murf/bug11210/res/res_config_pgsql.c (original)
+++ team/murf/bug11210/res/res_config_pgsql.c Sat Feb 23 20:43:31 2008
@@ -912,23 +912,21 @@
 		pgsqlConn = NULL;
 	}
 
-	if ((!pgsqlConn) && (!ast_strlen_zero(dbhost) || !ast_strlen_zero(dbsock)) && !ast_strlen_zero(dbuser) && !ast_strlen_zero(dbpass) && !ast_strlen_zero(my_database)) {
-		char *connInfo = NULL;
-		unsigned int size = 100 + strlen(dbhost)
-			+ strlen(dbuser)
-			+ strlen(dbpass)
-			+ strlen(my_database);
-		
-		if (!(connInfo = ast_malloc(size)))
-			return 0;
-		
-		sprintf(connInfo, "host=%s port=%d dbname=%s user=%s password=%s",
-					dbhost, dbport, my_database, dbuser, dbpass);
-		ast_debug(1, "%u connInfo=%s\n", size, connInfo);
-		pgsqlConn = PQconnectdb(connInfo);
-		ast_debug(1, "%u connInfo=%s\n", size, connInfo);
+	/* DB password can legitimately be 0-length */
+	if ((!pgsqlConn) && (!ast_strlen_zero(dbhost) || !ast_strlen_zero(dbsock)) && !ast_strlen_zero(dbuser) && dbpass && !ast_strlen_zero(my_database)) {
+		struct ast_str *connInfo = ast_str_create(32);
+
+		ast_str_set(&connInfo, 0, "host=%s port=%d dbname=%s user=%s",
+			dbhost, dbport, my_database, dbuser);
+		if (!ast_strlen_zero(dbpass))
+			ast_str_append(&connInfo, 0, " password=%s", dbpass);
+
+		ast_debug(1, "%u connInfo=%s\n", connInfo->len, connInfo->str);
+		pgsqlConn = PQconnectdb(connInfo->str);
+		ast_debug(1, "%u connInfo=%s\n", connInfo->len, connInfo->str);
 		ast_free(connInfo);
 		connInfo = NULL;
+
 		ast_debug(1, "pgsqlConn=%p\n", pgsqlConn);
 		if (pgsqlConn && PQstatus(pgsqlConn) == CONNECTION_OK) {
 			ast_debug(1, "PostgreSQL RealTime: Successfully connected to database.\n");
@@ -936,13 +934,12 @@
 			return 1;
 		} else {
 			ast_log(LOG_ERROR,
-					"PostgreSQL RealTime: Failed to connect database server %s on %s. Check debug for more info.\n",
-					dbname, dbhost);
-			ast_debug(1, "PostgreSQL RealTime: Cannot Connect: %s\n", PQresultErrorMessage(NULL));
+					"PostgreSQL RealTime: Failed to connect database %s on %s: %s\n",
+					dbname, dbhost, PQresultErrorMessage(NULL));
 			return 0;
 		}
 	} else {
-		ast_debug(1, "PostgreSQL RealTime: Everything is fine.\n");
+		ast_debug(1, "PostgreSQL RealTime: One or more of the parameters in the config does not pass our validity checks.\n");
 		return 1;
 	}
 }




More information about the asterisk-commits mailing list