[asterisk-commits] moy: branch moy/mfcr2-1.4 r267095 - in /team/moy/mfcr2-1.4: ./ apps/ build_to...
SVN commits to the Asterisk project
asterisk-commits at lists.digium.com
Wed Jun 2 13:02:54 CDT 2010
Author: moy
Date: Wed Jun 2 13:02:38 2010
New Revision: 267095
URL: http://svnview.digium.com/svn/asterisk?view=rev&rev=267095
Log:
merged 1.4.32 tag
Added:
team/moy/mfcr2-1.4/.lastclean
- copied unchanged from r267091, tags/1.4.32/.lastclean
team/moy/mfcr2-1.4/.version
- copied unchanged from r267091, tags/1.4.32/.version
team/moy/mfcr2-1.4/ChangeLog
- copied unchanged from r267091, tags/1.4.32/ChangeLog
team/moy/mfcr2-1.4/README-SERIOUSLY.bestpractices.txt (with props)
team/moy/mfcr2-1.4/contrib/init.d/org.asterisk.asterisk.plist (with props)
Removed:
team/moy/mfcr2-1.4/asterisk-1.4.28-summary.html
team/moy/mfcr2-1.4/asterisk-1.4.28-summary.txt
team/moy/mfcr2-1.4/contrib/firmware/
Modified:
team/moy/mfcr2-1.4/ (props changed)
team/moy/mfcr2-1.4/BUGS
team/moy/mfcr2-1.4/LICENSE
team/moy/mfcr2-1.4/Makefile
team/moy/mfcr2-1.4/Makefile.rules
team/moy/mfcr2-1.4/apps/app_chanspy.c
team/moy/mfcr2-1.4/apps/app_dial.c
team/moy/mfcr2-1.4/apps/app_echo.c
team/moy/mfcr2-1.4/apps/app_followme.c
team/moy/mfcr2-1.4/apps/app_meetme.c
team/moy/mfcr2-1.4/apps/app_mixmonitor.c
team/moy/mfcr2-1.4/apps/app_mp3.c
team/moy/mfcr2-1.4/apps/app_parkandannounce.c
team/moy/mfcr2-1.4/apps/app_queue.c
team/moy/mfcr2-1.4/apps/app_userevent.c
team/moy/mfcr2-1.4/apps/app_voicemail.c
team/moy/mfcr2-1.4/apps/app_waitforring.c
team/moy/mfcr2-1.4/apps/app_waitforsilence.c
team/moy/mfcr2-1.4/build_tools/cflags.xml
team/moy/mfcr2-1.4/build_tools/make_build_h
team/moy/mfcr2-1.4/build_tools/make_version_h
team/moy/mfcr2-1.4/build_tools/menuselect-deps.in
team/moy/mfcr2-1.4/channels/chan_agent.c
team/moy/mfcr2-1.4/channels/chan_dahdi.c
team/moy/mfcr2-1.4/channels/chan_h323.c
team/moy/mfcr2-1.4/channels/chan_iax2.c
team/moy/mfcr2-1.4/channels/chan_local.c
team/moy/mfcr2-1.4/channels/chan_mgcp.c
team/moy/mfcr2-1.4/channels/chan_misdn.c
team/moy/mfcr2-1.4/channels/chan_sip.c
team/moy/mfcr2-1.4/channels/chan_skinny.c
team/moy/mfcr2-1.4/codecs/gsm/Makefile
team/moy/mfcr2-1.4/config.guess
team/moy/mfcr2-1.4/configs/cdr.conf.sample
team/moy/mfcr2-1.4/configs/chan_dahdi.conf.sample
team/moy/mfcr2-1.4/configs/extensions.ael.sample
team/moy/mfcr2-1.4/configs/extensions.conf.sample
team/moy/mfcr2-1.4/configs/manager.conf.sample
team/moy/mfcr2-1.4/configs/say.conf.sample
team/moy/mfcr2-1.4/configs/sip.conf.sample
team/moy/mfcr2-1.4/configure
team/moy/mfcr2-1.4/configure.ac
team/moy/mfcr2-1.4/contrib/init.d/rc.debian.asterisk
team/moy/mfcr2-1.4/contrib/scripts/safe_asterisk
team/moy/mfcr2-1.4/doc/backtrace.txt
team/moy/mfcr2-1.4/doc/configuration.txt
team/moy/mfcr2-1.4/doc/imapstorage.txt
team/moy/mfcr2-1.4/doc/localchannel.txt
team/moy/mfcr2-1.4/funcs/func_cdr.c
team/moy/mfcr2-1.4/funcs/func_math.c
team/moy/mfcr2-1.4/include/asterisk/acl.h
team/moy/mfcr2-1.4/include/asterisk/app.h
team/moy/mfcr2-1.4/include/asterisk/astobj2.h
team/moy/mfcr2-1.4/include/asterisk/audiohook.h
team/moy/mfcr2-1.4/include/asterisk/autoconfig.h.in
team/moy/mfcr2-1.4/include/asterisk/cdr.h
team/moy/mfcr2-1.4/include/asterisk/channel.h
team/moy/mfcr2-1.4/include/asterisk/frame.h
team/moy/mfcr2-1.4/include/asterisk/rtp.h
team/moy/mfcr2-1.4/include/asterisk/threadstorage.h
team/moy/mfcr2-1.4/main/Makefile
team/moy/mfcr2-1.4/main/app.c
team/moy/mfcr2-1.4/main/ast_expr2.fl
team/moy/mfcr2-1.4/main/ast_expr2f.c
team/moy/mfcr2-1.4/main/asterisk.c
team/moy/mfcr2-1.4/main/astobj2.c
team/moy/mfcr2-1.4/main/audiohook.c
team/moy/mfcr2-1.4/main/cdr.c
team/moy/mfcr2-1.4/main/channel.c
team/moy/mfcr2-1.4/main/config.c
team/moy/mfcr2-1.4/main/editline/configure
team/moy/mfcr2-1.4/main/editline/configure.in
team/moy/mfcr2-1.4/main/file.c
team/moy/mfcr2-1.4/main/http.c
team/moy/mfcr2-1.4/main/loader.c
team/moy/mfcr2-1.4/main/logger.c
team/moy/mfcr2-1.4/main/manager.c
team/moy/mfcr2-1.4/main/pbx.c
team/moy/mfcr2-1.4/main/rtp.c
team/moy/mfcr2-1.4/main/say.c
team/moy/mfcr2-1.4/main/sched.c
team/moy/mfcr2-1.4/main/utils.c
team/moy/mfcr2-1.4/makeopts.in
team/moy/mfcr2-1.4/pbx/Makefile
team/moy/mfcr2-1.4/pbx/ael/ael_lex.c
team/moy/mfcr2-1.4/pbx/pbx_dundi.c
team/moy/mfcr2-1.4/pbx/pbx_spool.c
team/moy/mfcr2-1.4/res/res_agi.c
team/moy/mfcr2-1.4/res/res_features.c
team/moy/mfcr2-1.4/res/res_monitor.c
team/moy/mfcr2-1.4/res/res_musiconhold.c
team/moy/mfcr2-1.4/res/res_smdi.c
team/moy/mfcr2-1.4/sounds/Makefile
team/moy/mfcr2-1.4/utils/Makefile
team/moy/mfcr2-1.4/utils/astman.c
Propchange: team/moy/mfcr2-1.4/
------------------------------------------------------------------------------
--- svn:externals (original)
+++ svn:externals Wed Jun 2 13:02:38 2010
@@ -1,1 +1,1 @@
-menuselect https://origsvn.digium.com/svn/menuselect/tags/autotag_for_asterisk/1.4.28-rc1
+menuselect https://origsvn.digium.com/svn/menuselect/tags/autotag_for_asterisk/1.4.32-rc1
Propchange: team/moy/mfcr2-1.4/
------------------------------------------------------------------------------
--- svn:mergeinfo (added)
+++ svn:mergeinfo Wed Jun 2 13:02:38 2010
@@ -1,0 +1,5 @@
+/branches/1.4:233953-261541,265610
+/tags/1.4.32:266577-267091
+/tags/1.4.32-rc1:261542-265861
+/tags/1.4.32-rc2:265862-266576
+/trunk:228798
Modified: team/moy/mfcr2-1.4/BUGS
URL: http://svnview.digium.com/svn/asterisk/team/moy/mfcr2-1.4/BUGS?view=diff&rev=267095&r1=267094&r2=267095
==============================================================================
--- team/moy/mfcr2-1.4/BUGS (original)
+++ team/moy/mfcr2-1.4/BUGS Wed Jun 2 13:02:38 2010
@@ -4,7 +4,7 @@
To learn about and report Asterisk bugs, please visit
the official Asterisk Bug Tracker at:
- http://bugs.digium.com
+ https://issues.asterisk.org
For more information on using the bug tracker, or to
learn how you can contribute by acting as a bug marshal
Modified: team/moy/mfcr2-1.4/LICENSE
URL: http://svnview.digium.com/svn/asterisk/team/moy/mfcr2-1.4/LICENSE?view=diff&rev=267095&r1=267094&r2=267095
==============================================================================
--- team/moy/mfcr2-1.4/LICENSE (original)
+++ team/moy/mfcr2-1.4/LICENSE Wed Jun 2 13:02:38 2010
@@ -7,15 +7,8 @@
This package also includes various components that are not part of
Asterisk itself; these components are in the 'contrib' directory
-and its subdirectories. Most of these components are also
-distributed under the GPL version 2 as well, except for the following:
-
-contrib/firmware/iax/iaxy.bin:
- This file is Copyright (C) Digium, Inc. and is licensed for
- use with Digium IAXy hardware devices only. It can be
- distributed freely as long as the distribution is in the
- original form present in this package (not reformatted or
- modified).
+and its subdirectories. These components are also distributed under the
+GPL version 2 as well.
Digium, Inc. (formerly Linux Support Services) holds copyright
and/or sufficient licenses to all components of the Asterisk
Modified: team/moy/mfcr2-1.4/Makefile
URL: http://svnview.digium.com/svn/asterisk/team/moy/mfcr2-1.4/Makefile?view=diff&rev=267095&r1=267094&r2=267095
==============================================================================
--- team/moy/mfcr2-1.4/Makefile (original)
+++ team/moy/mfcr2-1.4/Makefile Wed Jun 2 13:02:38 2010
@@ -66,7 +66,6 @@
export DOWNLOAD
export AWK
export GREP
-export ID
export OSARCH
export CURSES_DIR
export NCURSES_DIR
@@ -74,6 +73,7 @@
export TINFO_DIR
export GTK2_LIB
export GTK2_INCLUDE
+export WGET_EXTRA_ARGS
# even though we could use '-include makeopts' here, use a wildcard
# lookup anyway, so that make won't try to build makeopts if it doesn't
@@ -323,7 +323,10 @@
@exit 1
menuselect.makeopts: menuselect/menuselect menuselect-tree makeopts build_tools/menuselect-deps $(GLOBAL_MAKEOPTS) $(USER_MAKEOPTS)
+ifeq ($(filter %menuselect,$(MAKECMDGOALS)),)
+ menuselect/menuselect --check-deps $@
menuselect/menuselect --check-deps $@ $(GLOBAL_MAKEOPTS) $(USER_MAKEOPTS)
+endif
$(MOD_SUBDIRS_EMBED_LDSCRIPT):
+ at echo "EMBED_LDSCRIPTS+="`$(SUBMAKE) -C $(@:-embed-ldscript=) SUBDIR=$(@:-embed-ldscript=) __embed_ldscript` >> makeopts.embed_rules
@@ -335,8 +338,8 @@
+ at echo "EMBED_LIBS+="`$(SUBMAKE) -C $(@:-embed-libs=) SUBDIR=$(@:-embed-libs=) __embed_libs` >> makeopts.embed_rules
$(MOD_SUBDIRS_MENUSELECT_TREE):
- @$(SUBMAKE) -C $(@:-menuselect-tree=) SUBDIR=$(@:-menuselect-tree=) moduleinfo
- @$(SUBMAKE) -C $(@:-menuselect-tree=) SUBDIR=$(@:-menuselect-tree=) makeopts
+ +@$(SUBMAKE) -C $(@:-menuselect-tree=) SUBDIR=$(@:-menuselect-tree=) moduleinfo
+ +@$(SUBMAKE) -C $(@:-menuselect-tree=) SUBDIR=$(@:-menuselect-tree=) makeopts
makeopts.embed_rules: menuselect.makeopts
@echo "Generating embedded module rules ..."
@@ -354,10 +357,10 @@
main: $(filter-out main,$(MOD_SUBDIRS))
$(MOD_SUBDIRS):
- + at _ASTCFLAGS="$(MOD_SUBDIR_CFLAGS) $(_ASTCFLAGS)" $(MAKE) --no-builtin-rules -C $@ SUBDIR=$@ all
+ + at _ASTCFLAGS="$(MOD_SUBDIR_CFLAGS) $(_ASTCFLAGS)" ASTCFLAGS="$(ASTCFLAGS)" _ASTLDFLAGS="$(_ASTLDFLAGS)" ASTLDFLAGS="$(ASTLDFLAGS)" $(SUBMAKE) --no-builtin-rules -C $@ SUBDIR=$@ all
$(OTHER_SUBDIRS):
- + at _ASTCFLAGS="$(OTHER_SUBDIR_CFLAGS) $(_ASTCFLAGS)" $(MAKE) --no-builtin-rules -C $@ SUBDIR=$@ all
+ + at _ASTCFLAGS="$(OTHER_SUBDIR_CFLAGS) $(_ASTCFLAGS)" ASTCFLAGS="$(ASTCFLAGS)" _ASTLDFLAGS="$(_ASTLDFLAGS)" ASTLDFLAGS="$(ASTLDFLAGS)" $(SUBMAKE) --no-builtin-rules -C $@ SUBDIR=$@ all
defaults.h: makeopts
@build_tools/make_defaults_h > $@.tmp
@@ -410,9 +413,7 @@
rm -f build_tools/menuselect-deps
datafiles: _all
- if [ `$(ID) -u` = 0 ]; then \
- CFLAGS="$(_ASTCFLAGS) $(ASTCFLAGS)" build_tools/mkpkgconfig $(DESTDIR)/usr/lib/pkgconfig; \
- fi
+ CFLAGS="$(_ASTCFLAGS) $(ASTCFLAGS)" build_tools/mkpkgconfig $(DESTDIR)$(libdir)/pkgconfig;
# Should static HTTP be installed during make samples or even with its own target ala
# webvoicemail? There are portions here that *could* be customized but might also be
# improved a lot. I'll put it here for now.
@@ -615,9 +616,13 @@
echo ";maxcalls = 10 ; Maximum amount of calls allowed" ; \
echo ";maxload = 0.9 ; Asterisk stops accepting new calls if the load average exceed this limit" ; \
echo ";cache_record_files = yes ; Cache recorded sound files to another directory during recording" ; \
- echo ";record_cache_dir = /tmp ; Specify cache directory (used in cnjunction with cache_record_files)" ; \
+ echo ";record_cache_dir = /tmp ; Specify cache directory (used in conjunction with cache_record_files)" ; \
echo ";transmit_silence_during_record = yes ; Transmit SLINEAR silence while a channel is being recorded" ; \
- echo ";transmit_silence = yes ; Transmit SLINEAR silence while a channel is being recorded or DTMF is being generated" ; \
+ echo ";transmit_silence = yes ; Transmit silence while a channel is in a waiting state, a recording only state, or when DTMF is" ; \
+ echo " ; being generated. Note that the silence internally is generated in raw signed linear format." ; \
+ echo " ; This means that it must be transcoded into the native format of the channel before it can be sent" ; \
+ echo " ; to the device. It is for this reason that this is optional, as it may result in requiring a" ; \
+ echo " ; temporary codec translation path for a channel that may not otherwise require one." ; \
echo ";transcode_via_sln = yes ; Build transcode paths via SLINEAR, instead of directly" ; \
echo ";runuser = asterisk ; The user to run as" ; \
echo ";rungroup = asterisk ; The group to run as" ; \
@@ -683,6 +688,8 @@
elif [ -f /etc/SuSE-release -o -f /etc/novell-release ]; then \
$(INSTALL) -m 755 contrib/init.d/rc.suse.asterisk $(DESTDIR)/etc/init.d/asterisk; \
if [ -z "$(DESTDIR)" ]; then /sbin/chkconfig --add asterisk; fi; \
+ elif [ -d $(DESTDIR)/Library/LaunchDaemons -a ! -f $(DESTDIR)/Library/LaunchDaemons/org.asterisk.asterisk.plist ]; then \
+ $(INSTALL) -m 644 contrib/init.d/org.asterisk.asterisk.plist $(DESTDIR)/Library/LaunchDaemons/org.asterisk.asterisk.plist; \
elif [ -f /etc/slackware-version ]; then \
echo "Slackware is not currently supported, although an init script does exist for it."; \
else \
@@ -746,19 +753,51 @@
menuconfig: menuselect
+cmenuconfig: cmenuselect
+
gmenuconfig: gmenuselect
-menuselect: menuselect/menuselect menuselect-tree
- - at menuselect/menuselect menuselect.makeopts $(GLOBAL_MAKEOPTS) $(USER_MAKEOPTS) && (echo "menuselect changes saved!"; rm -f channels/h323/Makefile.ast main/asterisk) || echo "menuselect changes NOT saved!"
-
-gmenuselect: menuselect/gmenuselect menuselect-tree
- - at menuselect/gmenuselect menuselect.makeopts $(GLOBAL_MAKEOPTS) $(USER_MAKEOPTS) && (echo "menuselect changes saved!"; rm -f channels/h323/Makefile.ast main/asterisk) || echo "menuselect changes NOT saved!"
-
-menuselect/menuselect: makeopts menuselect/menuselect.c menuselect/menuselect_curses.c menuselect/menuselect_stub.c menuselect/menuselect.h menuselect/linkedlists.h makeopts
- @CC="$(HOST_CC)" LD="" AR="" RANLIB="" CFLAGS="" $(MAKE) -C menuselect CONFIGURE_SILENT="--silent"
-
-menuselect/gmenuselect: makeopts menuselect/menuselect.c menuselect/menuselect_gtk.c menuselect/menuselect_stub.c menuselect/menuselect.h menuselect/linkedlists.h makeopts
- @CC="$(HOST_CC)" CXX="$(CXX)" LD="" AR="" RANLIB="" CFLAGS="" $(MAKE) -C menuselect _gmenuselect CONFIGURE_SILENT="--silent"
+nmenuconfig: nmenuselect
+
+menuselect: menuselect/cmenuselect menuselect/nmenuselect menuselect/gmenuselect
+ @if [ -x menuselect/nmenuselect ]; then \
+ $(MAKE) nmenuselect; \
+ elif [ -x menuselect/cmenuselect ]; then \
+ $(MAKE) cmenuselect; \
+ elif [ -x menuselect/gmenuselect ]; then \
+ $(MAKE) gmenuselect; \
+ else \
+ echo "No menuselect user interface found. Install ncurses,"; \
+ echo "newt or GTK libraries to build one and re-rerun"; \
+ echo "'make menuselect'."; \
+ fi
+
+cmenuselect: menuselect/cmenuselect menuselect-tree menuselect.makeopts
+ - at menuselect/cmenuselect menuselect.makeopts && (echo "menuselect changes saved!"; rm -f channels/h323/Makefile.ast main/asterisk) || echo "menuselect changes NOT saved!"
+
+gmenuselect: menuselect/gmenuselect menuselect-tree menuselect.makeopts
+ - at menuselect/gmenuselect menuselect.makeopts && (echo "menuselect changes saved!"; rm -f channels/h323/Makefile.ast main/asterisk) || echo "menuselect changes NOT saved!"
+
+nmenuselect: menuselect/nmenuselect menuselect-tree menuselect.makeopts
+ - at menuselect/nmenuselect menuselect.makeopts && (echo "menuselect changes saved!"; rm -f channels/h323/Makefile.ast main/asterisk) || echo "menuselect changes NOT saved!"
+
+# options for make in menuselect/
+MAKE_MENUSELECT=CC="$(HOST_CC)" CXX="$(CXX)" LD="" AR="" RANLIB="" CFLAGS="" $(MAKE) -C menuselect CONFIGURE_SILENT="--silent"
+
+menuselect/menuselect: menuselect/makeopts
+ +$(MAKE_MENUSELECT) menuselect
+
+menuselect/cmenuselect: menuselect/makeopts
+ +$(MAKE_MENUSELECT) cmenuselect
+
+menuselect/gmenuselect: menuselect/makeopts
+ +$(MAKE_MENUSELECT) gmenuselect
+
+menuselect/nmenuselect: menuselect/makeopts
+ +$(MAKE_MENUSELECT) nmenuselect
+
+menuselect/makeopts: makeopts
+ +$(MAKE_MENUSELECT) makeopts
menuselect-tree: $(foreach dir,$(filter-out main,$(MOD_SUBDIRS)),$(wildcard $(dir)/*.c) $(wildcard $(dir)/*.cc)) build_tools/cflags.xml build_tools/cflags-devmode.xml sounds/sounds.xml build_tools/embed_modules.xml configure
@echo "Generating input for menuselect ..."
Modified: team/moy/mfcr2-1.4/Makefile.rules
URL: http://svnview.digium.com/svn/asterisk/team/moy/mfcr2-1.4/Makefile.rules?view=diff&rev=267095&r1=267094&r2=267095
==============================================================================
--- team/moy/mfcr2-1.4/Makefile.rules (original)
+++ team/moy/mfcr2-1.4/Makefile.rules Wed Jun 2 13:02:38 2010
@@ -36,6 +36,12 @@
endif
OPTIMIZE?=-O6
+ifneq ($(findstring darwin,$(OSARCH)),)
+ ifeq ($(shell /usr/bin/sw_vers -productVersion | cut -c1-4),10.6)
+ # Snow Leopard has an issue with this optimization flag on large files (like chan_sip)
+ OPTIMIZE+=-fno-inline-functions
+ endif
+endif
ifeq ($(findstring DONT_OPTIMIZE,$(MENUSELECT_CFLAGS)),)
_ASTCFLAGS+=$(OPTIMIZE)
Added: team/moy/mfcr2-1.4/README-SERIOUSLY.bestpractices.txt
URL: http://svnview.digium.com/svn/asterisk/team/moy/mfcr2-1.4/README-SERIOUSLY.bestpractices.txt?view=auto&rev=267095
==============================================================================
--- team/moy/mfcr2-1.4/README-SERIOUSLY.bestpractices.txt (added)
+++ team/moy/mfcr2-1.4/README-SERIOUSLY.bestpractices.txt Wed Jun 2 13:02:38 2010
@@ -1,0 +1,295 @@
+==================
+| Best Practices |
+==================
+
+The purpose of this document is to define best practices when working with
+Asterisk in order to minimize possible security breaches and to provide tried
+examples in field deployments. This is a living document and is subject to
+change over time as best practices are defined.
+
+--------
+Sections
+--------
+
+* Filtering Data:
+ How to protect yourself from redial attacks
+
+* Proper Device Naming:
+ Why to not use numbered extensions for devices
+
+* Secure Passwords:
+ Secure passwords limit your risk to brute force attacks
+
+* Reducing Pattern Match Typos:
+ Using the 'same' prefix, or using Goto()
+
+----------------
+Additional Links
+----------------
+
+Additional links that contain useful information about best practices or
+security are listed below.
+
+* Seven Steps to Better SIP Security:
+ http://blogs.digium.com/2009/03/28/sip-security/
+
+* Asterisk VoIP Security (webinar):
+ http://www.asterisk.org/security/webinar/
+
+
+==============
+Filtering Data
+==============
+
+In the Asterisk dialplan, several channel variables contain data potentially
+supplied by outside sources. This could lead to a potential security concern
+where those outside sources may send cleverly crafted strings of data which
+could be utilized, e.g. to place calls to unexpected locations.
+
+An example of this can be found in the use of pattern matching and the ${EXTEN}
+channel variable. Note that ${EXTEN} is not the only system created channel
+variable, so it is important to be aware of where the data you're using is
+coming from.
+
+For example, this common dialplan takes 2 or more characters of data, starting
+with a number 0-9, and then accepts any additional information supplied by the
+request.
+
+[NOTE: We use SIP in this example, but is not limited to SIP only; protocols
+ such as Jabber/XMPP or IAX2 are also susceptible to the same sort of
+ injection problem.]
+
+
+[incoming]
+exten => _X.,1,Verbose(2,Incoming call to extension ${EXTEN})
+exten => _X.,n,Dial(SIP/${EXTEN})
+exten => _X.,n,Hangup()
+
+This dialplan may be utilized to accept calls to extensions, which then dial a
+numbered device name configured in one of the channel configuration files (such
+as sip.conf, iax.conf, etc...) (see the section Proper Device Naming for more
+information on why this approach is flawed).
+
+The example we've given above looks harmless enough until you take into
+consideration that several channel technologies accept characters that could
+be utilized in a clever attack. For example, instead of just sending a request
+to dial extension 500 (which in our example above would create the string
+SIP/500 and is then used by the Dial() application to place a call), someone
+could potentially send a string like "500&SIP/itsp/14165551212".
+
+The string "500&SIP/itsp/14165551212" would then be contained within the
+${EXTEN} channel variable, which is then utilized by the Dial() application in
+our example, thereby giving you the dialplan line of:
+
+exten => _X.,n,Dial(SIP/500&SIP/itsp/14165551212)
+
+Our example above has now provided someone with a method to place calls out of
+your ITSP in a place where you didn't expect to allow it. There are a couple of
+ways in which you can mitigate this impact: stricter pattern matching, or using
+the FILTER() dialplan function.
+
+Strict Pattern Matching
+-----------------------
+
+The simple way to mitigate this problem is with a strict pattern match that does
+not utilize the period (.) or bang (!) characters to match on one-or-more
+characters or zero-or-more characters (respectively). To fine tune our example
+to only accept three digit extensions, we could change our pattern match to
+be:
+
+exten => _XXX,n,Dial(SIP/${EXTEN})
+
+In this way, we have minimized our impact because we're not allowing anything
+other than the numbers zero through nine. But in some cases we really do need to
+handle variable pattern matches, such as when dialing international numbers
+or when we want to handle something like a SIP URI. In this case, we'll need to
+utilize the FILTER() dialplan function.
+
+Using FILTER()
+--------------
+
+The FILTER() dialplan function is used to filter strings by only allowing
+characters that you have specified. This is a perfect candidate for controlling
+which characters you want to pass to the Dial() application, or any other
+application which will contain dynamic information passed to Asterisk from an
+external source. Lets take a look at how we can use FILTER() to control what
+data we allow.
+
+Using our previous example to accept any string length of 2 or more characters,
+starting with a number of zero through nine, we can use FILTER() to limit what
+we will accept to just numbers. Our example would then change to something like:
+
+[incoming]
+exten => _X.,1,Verbose(2,Incoming call to extension ${EXTEN})
+exten => _X.,n,Dial(SIP/${FILTER(0123456789,${EXTEN})})
+exten => _X.,n,Hangup()
+
+Note how we've wrapped the ${EXTEN} channel variable with the FILTER() function
+which will then only pass back characters that fit into the numerical range that
+we've defined.
+
+Alternatively, if we didn't want to utilize the FILTER() function within the
+Dial() application directly, we could save the value to a channel variable,
+which has a side effect of being usable in other locations of your dialplan if
+necessary, and to handle error checking in a separate location.
+
+[incoming]
+exten => _X.,1,Verbose(2,Incoming call to extension ${EXTEN})
+exten => _X.,n,Set(SAFE_EXTEN=${FILTER(0123456789,${EXTEN})})
+exten => _X.,n,Dial(SIP/${SAFE_EXTEN})
+exten => _X.,n,Hangup()
+
+Now we can use the ${SAFE_EXTEN} channel variable anywhere throughout the rest
+of our dialplan, knowing we've already filtered it. We could also perform an
+error check to verify that what we've received in ${EXTEN} also matches the data
+passed back by FILTER(), and to fail the call if things do not match.
+
+[incoming]
+exten => _X.,1,Verbose(2,Incoming call to extension ${EXTEN})
+exten => _X.,n,Set(SAFE_EXTEN=${FILTER(0123456789,${EXTEN})})
+exten => _X.,n,GotoIf($[${EXTEN} != ${SAFE_EXTEN}]?error,1)
+exten => _X.,n,Dial(SIP/${SAFE_EXTEN})
+exten => _X.,n,Hangup()
+
+exten => error,1,Verbose(2,Values of EXTEN and SAFE_EXTEN did not match.)
+exten => error,n,Verbose(2,EXTEN: "${EXTEN}" -- SAFE_EXTEN: "${SAFE_EXTEN}")
+exten => error,n,Playback(silence/1&invalid)
+exten => error,n,Hangup()
+
+Another example would be using FILTER() to control the characters we accept when
+we're expecting to get a SIP URI for dialing.
+
+[incoming]
+exten => _[0-9a-zA-Z].,1,Verbose(2,Incoming call to extension ${EXTEN})
+exten => _[0-9a-zA-Z].,n,Dial(SIP/${FILTER(. at 0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ,${EXTEN})
+exten => _[0-9a-zA-Z].,n,Hangup()
+
+Of course the FILTER() function doesn't check the formatting of the incoming
+request. There is also the REGEX() dialplan function which can be used to
+determine if the string passed to it matches the regular expression you've
+created, and to take proper action on whether it matches or not. The creation of
+regular expressions is left as an exercise for the reader.
+
+More information about the FILTER() and REGEX() dialplan functions can be found
+by typing "core show function FILTER" and "core show function REGEX" from your
+Asterisk console.
+
+
+====================
+Proper Device Naming
+====================
+
+In Asterisk, the concept of an extension number being tied to a specific device
+does not exist. Asterisk is aware of devices it can call or receive calls from,
+and how you define in your dialplan how to reach those devices is up to you.
+
+Because it has become common practice to think of a specific device as having an
+extension number associated with it, it only becomes natural to think about
+naming your devices the same as the extension number you're providing it. But
+by doing this, you're limiting the powerful concept of separating user from
+extensions, and extensions from devices.
+
+It can also be a security hazard to name your devices with a number, as this can
+open you up to brute force attacks. Many of the current exploits deal with
+device configurations which utilize a number, and even worse, a password that
+matches the devices name. For example, take a look at this poorly created device
+in sip.conf:
+
+[1000]
+type=friend
+context=international_dialing
+secret=1000
+
+As implied by the context, we've permitted a device named 1000 with a password
+of 1000 to place calls internationally. If your PBX system is accessible via
+the internet, then your system will be vulnerable to expensive international
+calls. Even if your system is not accessible via the internet, people within
+your organization could get access to dialing rules you'd prefer to reserve only
+for certain people.
+
+A more secure example for the device would be to use something like the MAC
+address of the device, along with a strong password (see the section Secure
+Passwords). The following example would be more secure:
+
+[0004f2040001]
+type=friend
+context=international_dialing
+secret=aE3%B8*$jk^G
+
+Then in your dialplan, you would reference the device via the MAC address of the
+device (or if using the softphone, a MAC address of a network interface on the
+computer).
+
+Also note that you should NOT use this password, as it will likely be one of the
+first ones added to the dictionary for brute force attacks.
+
+
+================
+Secure Passwords
+================
+
+Secure passwords are necessary in many (if not all) environments, and Asterisk
+is certainly no exception, especially when it comes to expensive long distance
+calls that could potentially cost your company hundreds or thousands of dollars
+on an expensive monthly phone bill, with little to no recourse to fight the
+charges.
+
+Whenever you are positioned to add a password to your system, whether that is
+for a device configuration, a database connection, or any other secure
+connection, be sure to use a secure password. A good example of a secure
+password would be something like:
+
+aE3%B8*$jk^G
+
+Our password also contains 12 characters with a mixture of upper and
+lower case characters, numbers, and symbols. Because these passwords are likely
+to only be entered once, or loaded via a configuration file, there is
+no need to create simple passwords, even in testing. Some of the holes found in
+production systems used for exploitations involve finding the one test extension
+that contains a weak password that was forgotten prior to putting a system into
+production.
+
+Using a web search you can find several online password generators such as
+http://www.strongpasswordgenerator.com or there are several scripts that can be
+used to generate a strong password.
+
+
+============================
+Reducing Pattern Match Typos
+============================
+
+As of Asterisk 1.6.2, a new method for reducing the number of complex pattern
+matches you need to enter, which can reduce typos in your dialplan, has been
+implemented. Traditionally, a dialplan with a complex pattern match would look
+something like:
+
+exten => _[3-5]XXX,1,Verbose(Incoming call to ${EXTEN})
+exten => _[3-5]XXX,n,Set(DEVICE=${DB(device/mac_address/${EXTEN})})
+exten => _[3-5]XXX,n,Set(TECHNOLOGY=${DB(device/technology/${EXTEN})})
+exten => _[3-5]XXX,n,GotoIf($[${ISNULL(${TECHNOLOGY})} | ${ISNULL(${DEVICE})}]?error,1)
+exten => _[3-5]XXX,n,Dial(${TECHNOLOGY}/${DEVICE},${GLOBAL(TIMEOUT)})
+exten => _[3-5]XXX,n,Set(vmFlag=${IF($[${DIALSTATUS} = BUSY]?b:u)})
+exten => _[3-5]XXX,n,Voicemail(${EXTEN}@${GLOBAL(VOICEMAIL_CONTEXT)},${vmFlag})
+exten => _[3-5]XXX,n,Hangup()
+
+exten => error,1,Verbose(2,Unable to lookup technology or device for extension)
+exten => error,n,Playback(silence/1&num-not-in-db)
+exten => error,n,Hangup()
+
+Of course there exists the possibility for a typo when retyping the pattern
+match _[3-5]XXX which will match on extensions 3000 through 5999. We can
+minimize this error by utilizing the same => prefix on all lines beyond the
+first one. Our same dialplan with using same => would look like the following:
+
+exten => _[3-5]XXX,1,Verbose(Incoming call to ${EXTEN})
+same => n,Set(DEVICE=${DB(device/mac_address/${EXTEN})})
+same => n,Set(TECHNOLOGY=${DB(device/technology/${EXTEN})})
+same => n,GotoIf($[${ISNULL(${TECHNOLOGY})} | ${ISNULL(${DEVICE})}]?error,1)
+same => n,Dial(${TECHNOLOGY}/${DEVICE},${GLOBAL(TIMEOUT)})
+same => n,Set(vmFlag=${IF($[${DIALSTATUS} = BUSY]?b:u)})
+same => n,Voicemail(${EXTEN}@${GLOBAL(VOICEMAIL_CONTEXT)},${vmFlag})
+same => n,Hangup()
+
+exten => error,1,Verbose(2,Unable to lookup technology or device for extension)
+same => n,Playback(silence/1&num-not-in-db)
+same => n,Hangup()
Propchange: team/moy/mfcr2-1.4/README-SERIOUSLY.bestpractices.txt
------------------------------------------------------------------------------
svn:eol-style = native
Propchange: team/moy/mfcr2-1.4/README-SERIOUSLY.bestpractices.txt
------------------------------------------------------------------------------
svn:keywords = wtf
Propchange: team/moy/mfcr2-1.4/README-SERIOUSLY.bestpractices.txt
------------------------------------------------------------------------------
svn:mime-type = text/plain
Modified: team/moy/mfcr2-1.4/apps/app_chanspy.c
URL: http://svnview.digium.com/svn/asterisk/team/moy/mfcr2-1.4/apps/app_chanspy.c?view=diff&rev=267095&r1=267094&r2=267095
==============================================================================
--- team/moy/mfcr2-1.4/apps/app_chanspy.c (original)
+++ team/moy/mfcr2-1.4/apps/app_chanspy.c Wed Jun 2 13:02:38 2010
@@ -77,7 +77,7 @@
" Options:\n"
" b - Only spy on channels involved in a bridged call.\n"
" g(grp) - Match only channels where their ${SPYGROUP} variable is set to\n"
-" contain 'grp' in an optional : delimited list.\n"
+" contain 'grp'.\n"
" q - Don't play a beep when beginning to spy on a channel, or speak the\n"
" selected channel name.\n"
" r[(basename)] - Record the session to the monitor spool directory. An\n"
@@ -105,7 +105,7 @@
" Options:\n"
" b - Only spy on channels involved in a bridged call.\n"
" g(grp) - Match only channels where their ${SPYGROUP} variable is set to\n"
-" contain 'grp' in an optional : delimited list.\n"
+" contain 'grp'.\n"
" q - Don't play a beep when beginning to spy on a channel, or speak the\n"
" selected channel name.\n"
" r[(basename)] - Record the session to the monitor spool directory. An\n"
Modified: team/moy/mfcr2-1.4/apps/app_dial.c
URL: http://svnview.digium.com/svn/asterisk/team/moy/mfcr2-1.4/apps/app_dial.c?view=diff&rev=267095&r1=267094&r2=267095
==============================================================================
--- team/moy/mfcr2-1.4/apps/app_dial.c (original)
+++ team/moy/mfcr2-1.4/apps/app_dial.c Wed Jun 2 13:02:38 2010
@@ -203,10 +203,12 @@
" answered the call.\n"
" t - Allow the called party to transfer the calling party by sending the\n"
" DTMF sequence defined in the blindxfer setting in the featuremap section\n"
-" of features.conf.\n"
+" of features.conf. This setting does not perform policy enforcement on\n"
+" transfers initiated by other methods.\n"
" T - Allow the calling party to transfer the called party by sending the\n"
" DTMF sequence defined in the blindxfer setting in the featuremap section\n"
-" of features.conf.\n"
+" of features.conf. This setting does not perform policy enforcement on\n"
+" transfers initiated by other methods.\n"
" w - Allow the called party to enable recording of the call by sending\n"
" the DTMF sequence defined in the automon setting in the featuremap section\n"
" of features.conf.\n"
@@ -870,12 +872,12 @@
ast_channel_lock(chan);
if (chan->cdr->answer.tv_sec) {
- snprintf(buf, sizeof(buf), "%ld", end - chan->cdr->answer.tv_sec);
+ snprintf(buf, sizeof(buf), "%ld", (long) end - chan->cdr->answer.tv_sec);
pbx_builtin_setvar_helper(chan, "ANSWEREDTIME", buf);
}
if (chan->cdr->start.tv_sec) {
- snprintf(buf, sizeof(buf), "%ld", end - chan->cdr->start.tv_sec);
+ snprintf(buf, sizeof(buf), "%ld", (long) end - chan->cdr->start.tv_sec);
pbx_builtin_setvar_helper(chan, "DIALEDTIME", buf);
}
ast_channel_unlock(chan);
Modified: team/moy/mfcr2-1.4/apps/app_echo.c
URL: http://svnview.digium.com/svn/asterisk/team/moy/mfcr2-1.4/apps/app_echo.c?view=diff&rev=267095&r1=267094&r2=267095
==============================================================================
--- team/moy/mfcr2-1.4/apps/app_echo.c (original)
+++ team/moy/mfcr2-1.4/apps/app_echo.c Wed Jun 2 13:02:38 2010
@@ -65,8 +65,9 @@
while (ast_waitfor(chan, -1) > -1) {
struct ast_frame *f = ast_read(chan);
- if (!f)
+ if (!f) {
break;
+ }
f->delivery.tv_sec = 0;
f->delivery.tv_usec = 0;
if (ast_write(chan, f)) {
Modified: team/moy/mfcr2-1.4/apps/app_followme.c
URL: http://svnview.digium.com/svn/asterisk/team/moy/mfcr2-1.4/apps/app_followme.c?view=diff&rev=267095&r1=267094&r2=267095
==============================================================================
--- team/moy/mfcr2-1.4/apps/app_followme.c (original)
+++ team/moy/mfcr2-1.4/apps/app_followme.c Wed Jun 2 13:02:38 2010
@@ -928,12 +928,12 @@
ast_channel_lock(chan);
if (chan->cdr->answer.tv_sec) {
- snprintf(buf, sizeof(buf), "%ld", end - chan->cdr->answer.tv_sec);
+ snprintf(buf, sizeof(buf), "%ld", (long) end - chan->cdr->answer.tv_sec);
pbx_builtin_setvar_helper(chan, "ANSWEREDTIME", buf);
}
if (chan->cdr->start.tv_sec) {
- snprintf(buf, sizeof(buf), "%ld", end - chan->cdr->start.tv_sec);
+ snprintf(buf, sizeof(buf), "%ld", (long) end - chan->cdr->start.tv_sec);
pbx_builtin_setvar_helper(chan, "DIALEDTIME", buf);
}
ast_channel_unlock(chan);
Modified: team/moy/mfcr2-1.4/apps/app_meetme.c
URL: http://svnview.digium.com/svn/asterisk/team/moy/mfcr2-1.4/apps/app_meetme.c?view=diff&rev=267095&r1=267094&r2=267095
==============================================================================
--- team/moy/mfcr2-1.4/apps/app_meetme.c (original)
+++ team/moy/mfcr2-1.4/apps/app_meetme.c Wed Jun 2 13:02:38 2010
@@ -319,6 +319,9 @@
#define MAX_CONFNUM 80
#define MAX_PIN 80
+/* Enough space for "<conference #>,<pin>,<admin pin>" followed by a 0 byte. */
+#define MAX_SETTINGS (MAX_CONFNUM + MAX_PIN + MAX_PIN + 3)
+
enum announcetypes {
CONF_HASJOIN,
CONF_HASLEFT
@@ -1487,6 +1490,35 @@
}
return (chan->_state == AST_STATE_UP);
+}
+
+static void send_talking_event(struct ast_channel *chan, struct ast_conference *conf, struct ast_conf_user *user, int talking)
+{
+ manager_event(EVENT_FLAG_CALL, "MeetmeTalking",
+ "Channel: %s\r\n"
+ "Uniqueid: %s\r\n"
+ "Meetme: %s\r\n"
+ "Usernum: %d\r\n"
+ "Status: %s\r\n",
+ chan->name, chan->uniqueid, conf->confno, user->user_no, talking ? "on" : "off");
+}
+
+static void set_user_talking(struct ast_channel *chan, struct ast_conference *conf, struct ast_conf_user *user, int talking, int monitor)
+{
+ int last_talking = user->talking;
+ if (last_talking == talking)
+ return;
+
+ user->talking = talking;
+
+ if (monitor) {
+ /* Check if talking state changed. Take care of -1 which means unmonitored */
+ int was_talking = (last_talking > 0);
+ int now_talking = (talking > 0);
+ if (was_talking != now_talking) {
+ send_talking_event(chan, conf, user, now_talking);
+ }
+ }
}
static int conf_run(struct ast_channel *chan, struct ast_conference *conf, int confflags, char *optargs[])
@@ -1815,7 +1847,9 @@
close(fd);
goto outrun;
}
- ast_log(LOG_DEBUG, "Placed channel %s in %s conf %d\n", chan->name, dahdi_chan_name, conf->zapconf);
+ if (option_debug) {
+ ast_log(LOG_DEBUG, "Placed channel %s in %s conf %d\n", chan->name, dahdi_chan_name, conf->zapconf);
+ }
if (!sent_event) {
manager_event(EVENT_FLAG_CALL, "MeetmeJoin",
@@ -1993,6 +2027,11 @@
break;
}
+ /* Indicate user is not talking anymore - change him to unmonitored state */
+ if ((confflags & (CONFFLAG_MONITORTALKER | CONFFLAG_OPTIMIZETALKER))) {
+ set_user_talking(chan, conf, user, -1, confflags & CONFFLAG_MONITORTALKER);
+ }
+
manager_event(EVENT_FLAG_CALL, "MeetmeMute",
"Channel: %s\r\n"
"Uniqueid: %s\r\n"
@@ -2071,27 +2110,11 @@
user->talking = 0;
res = ast_dsp_silence(dsp, f, &totalsilence);
- if (!user->talking && totalsilence < MEETME_DELAYDETECTTALK) {
- user->talking = 1;
- if (confflags & CONFFLAG_MONITORTALKER)
- manager_event(EVENT_FLAG_CALL, "MeetmeTalking",
- "Channel: %s\r\n"
- "Uniqueid: %s\r\n"
- "Meetme: %s\r\n"
- "Usernum: %d\r\n"
- "Status: on\r\n",
- chan->name, chan->uniqueid, conf->confno, user->user_no);
+ if (totalsilence < MEETME_DELAYDETECTTALK) {
+ set_user_talking(chan, conf, user, 1, confflags & CONFFLAG_MONITORTALKER);
}
- if (user->talking && totalsilence > MEETME_DELAYDETECTENDTALK) {
- user->talking = 0;
- if (confflags & CONFFLAG_MONITORTALKER)
- manager_event(EVENT_FLAG_CALL, "MeetmeTalking",
- "Channel: %s\r\n"
- "Uniqueid: %s\r\n"
- "Meetme: %s\r\n"
- "Usernum: %d\r\n"
- "Status: off\r\n",
- chan->name, chan->uniqueid, conf->confno, user->user_no);
+ if (totalsilence > MEETME_DELAYDETECTENDTALK) {
+ set_user_talking(chan, conf, user, 0, confflags & CONFFLAG_MONITORTALKER);
}
}
if (using_pseudo) {
@@ -2545,7 +2568,6 @@
struct ast_config *cfg;
struct ast_variable *var;
struct ast_conference *cnf;
- char *parse;
AST_DECLARE_APP_ARGS(args,
AST_APP_ARG(confno);
AST_APP_ARG(pin);
@@ -2584,13 +2606,15 @@
ast_log(LOG_WARNING, "No %s file :(\n", CONFIG_FILE_NAME);
return NULL;
}
+
for (var = ast_variable_browse(cfg, "rooms"); var; var = var->next) {
+ char parse[MAX_SETTINGS];
+
if (strcasecmp(var->name, "conf"))
continue;
-
- if (!(parse = ast_strdupa(var->value)))
- return NULL;
-
+
+ ast_copy_string(parse, var->value, sizeof(parse));
+
AST_NONSTANDARD_APP_ARGS(args, parse, ',');
if (!strcasecmp(args.confno, confno)) {
/* Bingo it's a valid conference */
@@ -2756,33 +2780,32 @@
if (cfg) {
var = ast_variable_browse(cfg, "rooms");
while (var) {
+ char parse[MAX_SETTINGS], *stringp = parse, *confno_tmp;
[... 7072 lines stripped ...]
More information about the asterisk-commits
mailing list