[asterisk-commits] lmadsen: tag 1.4.40.2 r315210 - in /tags/1.4.40.2: ./ main/

[SVN commits to the Asterisk project]

Author: lmadsen
Date: Mon Apr 25 13:09:09 2011
New Revision: 315210

URL: http://svnview.digium.com/svn/asterisk?view=rev&rev=315210
Log:
Update .version, ChangeLog, and merge changes related to AST-2011-006

Removed:
    tags/1.4.40.2/asterisk-1.4.40.1-summary.html
    tags/1.4.40.2/asterisk-1.4.40.1-summary.txt
Modified:
    tags/1.4.40.2/.version
    tags/1.4.40.2/ChangeLog
    tags/1.4.40.2/main/manager.c

Modified: tags/1.4.40.2/.version
URL: http://svnview.digium.com/svn/asterisk/tags/1.4.40.2/.version?view=diff&rev=315210&r1=315209&r2=315210
==============================================================================
--- tags/1.4.40.2/.version (original)
+++ tags/1.4.40.2/.version Mon Apr 25 13:09:09 2011
@@ -1,1 +1,1 @@
-1.4.40.1
+1.4.40.2

Modified: tags/1.4.40.2/ChangeLog
URL: http://svnview.digium.com/svn/asterisk/tags/1.4.40.2/ChangeLog?view=diff&rev=315210&r1=315209&r2=315210
==============================================================================
--- tags/1.4.40.2/ChangeLog (original)
+++ tags/1.4.40.2/ChangeLog Mon Apr 25 13:09:09 2011
@@ -1,3 +1,17 @@
+2011-04-25  Leif Madsen <lmadsen at digium.com>
+
+	* Asterisk 1.4.40.2 Released.
+
+	* Reverted part of r314607, as it can introduce a regression.
+	  Specifically, the security check for the "system"
+	  privilege was removed. If a user had the "call" privilege but not the
+	  "system" privilege, they would lose the ability to execute the system
+	  app and dialplan functions that run commands in a shell. This branch
+	  never used the "system" privilege for that purpose and did not need to
+	  be patched.
+	
+	  (Related to AST-2011-006)
+
 2011-04-21  Leif Madsen <lmadsen at digium.com>
 
 	* Asterisk 1.4.40.1 Released.

Modified: tags/1.4.40.2/main/manager.c
URL: http://svnview.digium.com/svn/asterisk/tags/1.4.40.2/main/manager.c?view=diff&rev=315210&r1=315209&r2=315210
==============================================================================
--- tags/1.4.40.2/main/manager.c (original)
+++ tags/1.4.40.2/main/manager.c Mon Apr 25 13:09:09 2011
@@ -2016,24 +2016,6 @@
 		format = 0;
 		ast_parse_allow_disallow(NULL, &format, codecs, 1);
 	}
-	if (!ast_strlen_zero(app)) {
-		/* To run the System application (or anything else that goes to
-		 * shell), you must have the additional System privilege */
-		if (!(s->session->writeperm & EVENT_FLAG_SYSTEM)
-			&& (
-				strcasestr(app, "system") == 0 || /* System(rm -rf /)
-				                                     TrySystem(rm -rf /)       */
-				strcasestr(app, "exec") ||        /* Exec(System(rm -rf /))
-				                                     TryExec(System(rm -rf /)) */
-				strcasestr(app, "agi") ||         /* AGI(/bin/rm,-rf /)
-				                                     EAGI(/bin/rm,-rf /)       */
-				strstr(appdata, "SHELL") ||       /* NoOp(${SHELL(rm -rf /)})  */
-				strstr(appdata, "EVAL")           /* NoOp(${EVAL(${some_var_containing_SHELL})}) */
-				)) {
-			astman_send_error(s, m, "Originate with certain 'Application' arguments requires the additional System privilege, which you do not have.");
-			return 0;
-		}
-	}
 	/* Allocate requested channel variables */
 	vars = astman_get_variables(m);