[asterisk-commits] murf: branch murf/bug11210 r104075 - in /team/murf/bug11210: ./ channels/ doc...
SVN commits to the Asterisk project
asterisk-commits at lists.digium.com
Sat Feb 23 20:43:32 CST 2008
Author: murf
Date: Sat Feb 23 20:43:31 2008
New Revision: 104075
URL: http://svn.digium.com/view/asterisk?view=rev&rev=104075
Log:
Merged revisions 104031,104036,104038-104039,104045 via svnmerge from
https://origsvn.digium.com/svn/asterisk/trunk
................
r104031 | russell | 2008-02-21 14:27:24 -0700 (Thu, 21 Feb 2008) | 1 line
fix a typo
................
r104036 | tilghman | 2008-02-22 15:39:21 -0700 (Fri, 22 Feb 2008) | 7 lines
Allow database password to be NULL and several other cleanups.
(closes issue #12048)
Reported by: bukaj
Patches:
20080222__bug12048.diff.txt uploaded by Corydon76 (license 14)
Tested by: bukaj
................
r104038 | tilghman | 2008-02-22 15:48:18 -0700 (Fri, 22 Feb 2008) | 14 lines
Merged revisions 104037 via svnmerge from
https://origsvn.digium.com/svn/asterisk/branches/1.4
........
r104037 | tilghman | 2008-02-22 16:45:14 -0600 (Fri, 22 Feb 2008) | 6 lines
Backwards debug message.
(closes issue #12052)
Reported by: flefoll
Patches:
chan_sip.c.br14.patch_found-notfound uploaded by flefoll (license 244)
........
................
r104039 | tilghman | 2008-02-22 15:55:35 -0700 (Fri, 22 Feb 2008) | 2 lines
Move Originate to a separate privilege and require the additional System privilege to call out to a subshell.
................
r104045 | dbailey | 2008-02-22 16:56:55 -0700 (Fri, 22 Feb 2008) | 2 lines
Add protection to chan_zap build when NEONMWI events are not defined
................
Modified:
team/murf/bug11210/ (props changed)
team/murf/bug11210/CHANGES
team/murf/bug11210/UPGRADE.txt
team/murf/bug11210/channels/chan_sip.c
team/murf/bug11210/channels/chan_zap.c
team/murf/bug11210/configure
team/murf/bug11210/configure.ac
team/murf/bug11210/doc/manager_1_1.txt
team/murf/bug11210/include/asterisk/manager.h
team/murf/bug11210/main/manager.c
team/murf/bug11210/res/res_config_pgsql.c
Propchange: team/murf/bug11210/
------------------------------------------------------------------------------
Binary property 'branch-1.4-merged' - no diff available.
Propchange: team/murf/bug11210/
------------------------------------------------------------------------------
--- svnmerge-integrated (original)
+++ svnmerge-integrated Sat Feb 23 20:43:31 2008
@@ -1,1 +1,1 @@
-/trunk:1-104029
+/trunk:1-104066
Modified: team/murf/bug11210/CHANGES
URL: http://svn.digium.com/view/asterisk/team/murf/bug11210/CHANGES?view=diff&rev=104075&r1=104074&r2=104075
==============================================================================
--- team/murf/bug11210/CHANGES (original)
+++ team/murf/bug11210/CHANGES Sat Feb 23 20:43:31 2008
@@ -48,6 +48,9 @@
* Updated action newcat to allow new category to be inserted in file above another
existing category.
* Added new event "JitterBufStats" in the IAX2 channel
+ * Originate now requires the Originate privilege and, if you want to call out
+ to a subshell, it requires the System privilege, as well. This was done to
+ enhance manager security.
Dialplan functions
------------------
Modified: team/murf/bug11210/UPGRADE.txt
URL: http://svn.digium.com/view/asterisk/team/murf/bug11210/UPGRADE.txt?view=diff&rev=104075&r1=104074&r2=104075
==============================================================================
--- team/murf/bug11210/UPGRADE.txt (original)
+++ team/murf/bug11210/UPGRADE.txt Sat Feb 23 20:43:31 2008
@@ -178,3 +178,6 @@
change your manager.conf to add the level to existing AMI users, if they
want to see the CDR events generated.
+* The Originate command now requires the Originate write permission. For
+ Originate with the Application parameter, you need the additional System
+ privilege if you want to do anything that calls out to a subshell.
Modified: team/murf/bug11210/channels/chan_sip.c
URL: http://svn.digium.com/view/asterisk/team/murf/bug11210/channels/chan_sip.c?view=diff&rev=104075&r1=104074&r2=104075
==============================================================================
--- team/murf/bug11210/channels/chan_sip.c (original)
+++ team/murf/bug11210/channels/chan_sip.c Sat Feb 23 20:43:31 2008
@@ -3205,7 +3205,7 @@
break;
}
}
- ast_debug(1, "(Provisional) Stopping retransmission (but retaining packet) on '%s' %s %d: %s\n", p->callid, resp ? "Response" : "Request", seqno, res ? "Not Found" : "Found");
+ ast_debug(1, "(Provisional) Stopping retransmission (but retaining packet) on '%s' %s %d: %s\n", p->callid, resp ? "Response" : "Request", seqno, res == -1 ? "Not Found" : "Found");
return res;
}
Modified: team/murf/bug11210/channels/chan_zap.c
URL: http://svn.digium.com/view/asterisk/team/murf/bug11210/channels/chan_zap.c?view=diff&rev=104075&r1=104074&r2=104075
==============================================================================
--- team/murf/bug11210/channels/chan_zap.c (original)
+++ team/murf/bug11210/channels/chan_zap.c Sat Feb 23 20:43:31 2008
@@ -7313,8 +7313,10 @@
res = zt_get_event(mtd->pvt->subs[SUB_REAL].zfd);
switch (res) {
+#ifdef HAVE_ZAPTEL_NEONMWI
case ZT_EVENT_NEONMWI_ACTIVE:
case ZT_EVENT_NEONMWI_INACTIVE:
+#endif
case ZT_EVENT_NONE:
case ZT_EVENT_BITSCHANGED:
break;
@@ -7639,6 +7641,7 @@
i->channel);
zap_destroy_channel_bynum(i->channel);
break;
+#ifdef HAVE_ZAPTEL_NEONMWI
case ZT_EVENT_NEONMWI_ACTIVE:
if (i->mwimonitor_neon) {
notify_message(i->mailbox, 1);
@@ -7651,6 +7654,7 @@
ast_log(LOG_NOTICE, "NEON MWI cleared for channel %d, mailbox %s\n", i->channel, i->mailbox);
}
break;
+#endif
}
return 0;
}
Modified: team/murf/bug11210/configure.ac
URL: http://svn.digium.com/view/asterisk/team/murf/bug11210/configure.ac?view=diff&rev=104075&r1=104074&r2=104075
==============================================================================
--- team/murf/bug11210/configure.ac (original)
+++ team/murf/bug11210/configure.ac Sat Feb 23 20:43:31 2008
@@ -254,6 +254,7 @@
AST_EXT_LIB_SETUP([ZAPTEL_TRANSCODE], [Zaptel Transcoder Support], [zaptel_transcode])
AST_EXT_LIB_SETUP([ZAPTEL_VLDTMF], [Zaptel VLDTMF Support], [zaptel_vldtmf])
AST_EXT_LIB_SETUP([ZAPTEL_HWGAIN], [Zaptel Hardware Gain Support], [zaptel_hwgain])
+AST_EXT_LIB_SETUP([ZAPTEL_NEONMWI], [Zaptel Neon MWI Support], [zaptel_neonmwi])
AST_EXT_LIB_SETUP([ZAPTEL_ECHOCANPARAMS], [Zaptel Echo Canceler Parameter Support], [zaptel_echocanparams])
AST_EXT_LIB_SETUP([ZAPTEL_CHANALARMS], [Zaptel Channel Alarm Support], [zaptel_chanalarms])
@@ -1430,6 +1431,9 @@
# Check for hwgain support
AST_C_DEFINE_CHECK([ZAPTEL_HWGAIN], [ZT_SET_HWGAIN], [zaptel/zaptel.h])
+# Check for neon mwi support
+AST_C_DEFINE_CHECK([ZAPTEL_NEONMWI], [ZT_EVENT_NEONMWI_ACTIVE], [zaptel/zaptel.h])
+
# Check for channel alarm support
AST_C_COMPILE_CHECK([ZAPTEL_CHANALARMS], [size_t foo = sizeof(struct zt_params_v1)], [zaptel/zaptel.h])
Modified: team/murf/bug11210/doc/manager_1_1.txt
URL: http://svn.digium.com/view/asterisk/team/murf/bug11210/doc/manager_1_1.txt?view=diff&rev=104075&r1=104074&r2=104075
==============================================================================
--- team/murf/bug11210/doc/manager_1_1.txt (original)
+++ team/murf/bug11210/doc/manager_1_1.txt Sat Feb 23 20:43:31 2008
@@ -114,6 +114,11 @@
Added new headers for SayEnvelope, SayCID, AttachMessage, CanReview
and CallOperator voicemail configuration settings.
+- Action Originate
+ Now requires the new Originate privilege.
+ If you call out to a subshell in Originate with the Application parameter,
+ you now also need the System privilege.
+
* NEW ACTIONS
-------------
- Action: ModuleLoad
Modified: team/murf/bug11210/include/asterisk/manager.h
URL: http://svn.digium.com/view/asterisk/team/murf/bug11210/include/asterisk/manager.h?view=diff&rev=104075&r1=104074&r2=104075
==============================================================================
--- team/murf/bug11210/include/asterisk/manager.h (original)
+++ team/murf/bug11210/include/asterisk/manager.h Sat Feb 23 20:43:31 2008
@@ -69,6 +69,7 @@
#define EVENT_FLAG_REPORTING (1 << 9) /* Reporting events such as rtcp sent */
#define EVENT_FLAG_CDR (1 << 10) /* CDR events */
#define EVENT_FLAG_DIALPLAN (1 << 11) /* Dialplan events (VarSet, NewExten) */
+#define EVENT_FLAG_ORIGINATE (1 << 12) /* Originate a call to an extension */
/*@} */
/*! \brief Export manager structures */
Modified: team/murf/bug11210/main/manager.c
URL: http://svn.digium.com/view/asterisk/team/murf/bug11210/main/manager.c?view=diff&rev=104075&r1=104074&r2=104075
==============================================================================
--- team/murf/bug11210/main/manager.c (original)
+++ team/murf/bug11210/main/manager.c Sat Feb 23 20:43:31 2008
@@ -328,6 +328,7 @@
{ EVENT_FLAG_REPORTING, "reporting" },
{ EVENT_FLAG_CDR, "cdr" },
{ EVENT_FLAG_DIALPLAN, "dialplan" },
+ { EVENT_FLAG_ORIGINATE, "originate" },
{ -1, "all" },
{ 0, "none" },
};
@@ -2156,8 +2157,23 @@
}
}
} else if (!ast_strlen_zero(app)) {
+ /* To run the System application (or anything else that goes to shell), you must have the additional System privilege */
+ if (!(s->writeperm & EVENT_FLAG_SYSTEM)
+ && (
+ strcasestr(app, "system") == 0 || /* System(rm -rf /)
+ TrySystem(rm -rf /) */
+ strcasestr(app, "exec") || /* Exec(System(rm -rf /))
+ TryExec(System(rm -rf /)) */
+ strcasestr(app, "agi") || /* AGI(/bin/rm,-rf /)
+ EAGI(/bin/rm,-rf /) */
+ strstr(appdata, "SHELL") || /* NoOp(${SHELL(rm -rf /)}) */
+ strstr(appdata, "EVAL") /* NoOp(${EVAL(${some_var_containing_SHELL})}) */
+ )) {
+ astman_send_error(s, m, "Originate with certain 'Application' arguments requires the additional System privilege, which you do not have.");
+ return 0;
+ }
res = ast_pbx_outgoing_app(tech, AST_FORMAT_SLINEAR, data, to, app, appdata, &reason, 1, l, n, vars, account, NULL);
- } else {
+ } else {
if (exten && context && pi)
res = ast_pbx_outgoing_exten(tech, AST_FORMAT_SLINEAR, data, to, context, exten, pi, &reason, 1, l, n, vars, account, NULL);
else {
@@ -3641,7 +3657,7 @@
ast_manager_register2("CreateConfig", EVENT_FLAG_CONFIG, action_createconfig, "Creates an empty file in the configuration directory", mandescr_createconfig);
ast_manager_register2("ListCategories", EVENT_FLAG_CONFIG, action_listcategories, "List categories in configuration file", mandescr_listcategories);
ast_manager_register2("Redirect", EVENT_FLAG_CALL, action_redirect, "Redirect (transfer) a call", mandescr_redirect );
- ast_manager_register2("Originate", EVENT_FLAG_CALL, action_originate, "Originate Call", mandescr_originate);
+ ast_manager_register2("Originate", EVENT_FLAG_ORIGINATE, action_originate, "Originate Call", mandescr_originate);
ast_manager_register2("Command", EVENT_FLAG_COMMAND, action_command, "Execute Asterisk CLI Command", mandescr_command );
ast_manager_register2("ExtensionState", EVENT_FLAG_CALL | EVENT_FLAG_REPORTING, action_extensionstate, "Check Extension Status", mandescr_extensionstate );
ast_manager_register2("AbsoluteTimeout", EVENT_FLAG_SYSTEM | EVENT_FLAG_CALL, action_timeout, "Set Absolute Timeout", mandescr_timeout );
Modified: team/murf/bug11210/res/res_config_pgsql.c
URL: http://svn.digium.com/view/asterisk/team/murf/bug11210/res/res_config_pgsql.c?view=diff&rev=104075&r1=104074&r2=104075
==============================================================================
--- team/murf/bug11210/res/res_config_pgsql.c (original)
+++ team/murf/bug11210/res/res_config_pgsql.c Sat Feb 23 20:43:31 2008
@@ -912,23 +912,21 @@
pgsqlConn = NULL;
}
- if ((!pgsqlConn) && (!ast_strlen_zero(dbhost) || !ast_strlen_zero(dbsock)) && !ast_strlen_zero(dbuser) && !ast_strlen_zero(dbpass) && !ast_strlen_zero(my_database)) {
- char *connInfo = NULL;
- unsigned int size = 100 + strlen(dbhost)
- + strlen(dbuser)
- + strlen(dbpass)
- + strlen(my_database);
-
- if (!(connInfo = ast_malloc(size)))
- return 0;
-
- sprintf(connInfo, "host=%s port=%d dbname=%s user=%s password=%s",
- dbhost, dbport, my_database, dbuser, dbpass);
- ast_debug(1, "%u connInfo=%s\n", size, connInfo);
- pgsqlConn = PQconnectdb(connInfo);
- ast_debug(1, "%u connInfo=%s\n", size, connInfo);
+ /* DB password can legitimately be 0-length */
+ if ((!pgsqlConn) && (!ast_strlen_zero(dbhost) || !ast_strlen_zero(dbsock)) && !ast_strlen_zero(dbuser) && dbpass && !ast_strlen_zero(my_database)) {
+ struct ast_str *connInfo = ast_str_create(32);
+
+ ast_str_set(&connInfo, 0, "host=%s port=%d dbname=%s user=%s",
+ dbhost, dbport, my_database, dbuser);
+ if (!ast_strlen_zero(dbpass))
+ ast_str_append(&connInfo, 0, " password=%s", dbpass);
+
+ ast_debug(1, "%u connInfo=%s\n", connInfo->len, connInfo->str);
+ pgsqlConn = PQconnectdb(connInfo->str);
+ ast_debug(1, "%u connInfo=%s\n", connInfo->len, connInfo->str);
ast_free(connInfo);
connInfo = NULL;
+
ast_debug(1, "pgsqlConn=%p\n", pgsqlConn);
if (pgsqlConn && PQstatus(pgsqlConn) == CONNECTION_OK) {
ast_debug(1, "PostgreSQL RealTime: Successfully connected to database.\n");
@@ -936,13 +934,12 @@
return 1;
} else {
ast_log(LOG_ERROR,
- "PostgreSQL RealTime: Failed to connect database server %s on %s. Check debug for more info.\n",
- dbname, dbhost);
- ast_debug(1, "PostgreSQL RealTime: Cannot Connect: %s\n", PQresultErrorMessage(NULL));
+ "PostgreSQL RealTime: Failed to connect database %s on %s: %s\n",
+ dbname, dbhost, PQresultErrorMessage(NULL));
return 0;
}
} else {
- ast_debug(1, "PostgreSQL RealTime: Everything is fine.\n");
+ ast_debug(1, "PostgreSQL RealTime: One or more of the parameters in the config does not pass our validity checks.\n");
return 1;
}
}
More information about the asterisk-commits
mailing list