[asterisk-commits] bebuild: tag 10.4.0-rc2 r363332 - in /tags/10.4.0-rc2: ./ channels/ main/
SVN commits to the Asterisk project
asterisk-commits at lists.digium.com
Tue Apr 24 11:13:10 CDT 2012
Author: bebuild
Date: Tue Apr 24 11:13:07 2012
New Revision: 363332
URL: http://svnview.digium.com/svn/asterisk?view=rev&rev=363332
Log:
Merge r363103-363104, r363107, r363156 for -rc2
Removed:
tags/10.4.0-rc2/asterisk-10.4.0-rc1-summary.html
tags/10.4.0-rc2/asterisk-10.4.0-rc1-summary.txt
Modified:
tags/10.4.0-rc2/ (props changed)
tags/10.4.0-rc2/.version
tags/10.4.0-rc2/ChangeLog
tags/10.4.0-rc2/channels/chan_sip.c
tags/10.4.0-rc2/channels/chan_skinny.c
tags/10.4.0-rc2/main/manager.c
Propchange: tags/10.4.0-rc2/
------------------------------------------------------------------------------
Binary property 'branch-1.8-merged' - no diff available.
Propchange: tags/10.4.0-rc2/
------------------------------------------------------------------------------
--- svn:externals (original)
+++ svn:externals Tue Apr 24 11:13:07 2012
@@ -1,1 +1,1 @@
-menuselect https://origsvn.digium.com/svn/menuselect/tags/autotag_for_asterisk/10.4.0-rc1
+menuselect https://origsvn.digium.com/svn/menuselect/trunk
Propchange: tags/10.4.0-rc2/
------------------------------------------------------------------------------
svn:mergeinfo = /branches/10:363103-363104,363107,363156
Modified: tags/10.4.0-rc2/.version
URL: http://svnview.digium.com/svn/asterisk/tags/10.4.0-rc2/.version?view=diff&rev=363332&r1=363331&r2=363332
==============================================================================
--- tags/10.4.0-rc2/.version (original)
+++ tags/10.4.0-rc2/.version Tue Apr 24 11:13:07 2012
@@ -1,1 +1,1 @@
-10.4.0-rc1
+10.4.0-rc2
Modified: tags/10.4.0-rc2/ChangeLog
URL: http://svnview.digium.com/svn/asterisk/tags/10.4.0-rc2/ChangeLog?view=diff&rev=363332&r1=363331&r2=363332
==============================================================================
--- tags/10.4.0-rc2/ChangeLog (original)
+++ tags/10.4.0-rc2/ChangeLog Tue Apr 24 11:13:07 2012
@@ -1,3 +1,13 @@
+2012-04-24 Asterisk Development Team <asteriskteam at digium.com>
+
+ * Asterisk 10.4.0-rc2 Released.
+
+ * AST-2012-004
+
+ * AST-2012-005
+
+ * AST-2012-006
+
2012-04-04 Asterisk Development Team <asteriskteam at digium.com>
* Asterisk 10.4.0-rc1 Released.
Modified: tags/10.4.0-rc2/channels/chan_sip.c
URL: http://svnview.digium.com/svn/asterisk/tags/10.4.0-rc2/channels/chan_sip.c?view=diff&rev=363332&r1=363331&r2=363332
==============================================================================
--- tags/10.4.0-rc2/channels/chan_sip.c (original)
+++ tags/10.4.0-rc2/channels/chan_sip.c Tue Apr 24 11:13:07 2012
@@ -22818,6 +22818,10 @@
transmit_response(p, "501 Method Not Implemented", req);
return 0;
}
+ if (!p->owner) {
+ transmit_response(p, "481 Call/Transaction Does Not Exist", req);
+ return 0;
+ }
if (get_rpid(p, req)) {
struct ast_party_connected_line connected;
struct ast_set_party_connected_line update_connected;
Modified: tags/10.4.0-rc2/channels/chan_skinny.c
URL: http://svnview.digium.com/svn/asterisk/tags/10.4.0-rc2/channels/chan_skinny.c?view=diff&rev=363332&r1=363331&r2=363332
==============================================================================
--- tags/10.4.0-rc2/channels/chan_skinny.c (original)
+++ tags/10.4.0-rc2/channels/chan_skinny.c Tue Apr 24 11:13:07 2012
@@ -6592,7 +6592,8 @@
int res = 0;
struct skinny_speeddial *sd;
struct skinny_device *d = s->device;
-
+ size_t len;
+
if ((!s->device) && (letohl(req->e) != REGISTER_MESSAGE && letohl(req->e) != ALARM_MESSAGE)) {
ast_log(LOG_WARNING, "Client sent message #%d without first registering.\n", req->e);
ast_free(req);
@@ -6662,8 +6663,13 @@
ast_log(LOG_WARNING, "Unsupported digit %d\n", digit);
}
- sub->exten[strlen(sub->exten)] = dgt;
- sub->exten[strlen(sub->exten)+1] = '\0';
+ len = strlen(sub->exten);
+ if (len < sizeof(sub->exten) - 1) {
+ sub->exten[len] = dgt;
+ sub->exten[len + 1] = '\0';
+ } else {
+ ast_log(AST_LOG_WARNING, "Dropping digit with value %d because digit queue is full\n", dgt);
+ }
} else
res = handle_keypad_button_message(req, s);
}
Modified: tags/10.4.0-rc2/main/manager.c
URL: http://svnview.digium.com/svn/asterisk/tags/10.4.0-rc2/main/manager.c?view=diff&rev=363332&r1=363331&r2=363332
==============================================================================
--- tags/10.4.0-rc2/main/manager.c (original)
+++ tags/10.4.0-rc2/main/manager.c Tue Apr 24 11:13:07 2012
@@ -1219,6 +1219,19 @@
{ INT_MAX, "all" },
{ 0, "none" },
};
+
+/*! \brief Checks to see if a string which can be used to evaluate functions should be rejected */
+static int function_capable_string_allowed_with_auths(const char *evaluating, int writepermlist)
+{
+ if (!(writepermlist & EVENT_FLAG_SYSTEM)
+ && (
+ strstr(evaluating, "SHELL") || /* NoOp(${SHELL(rm -rf /)}) */
+ strstr(evaluating, "EVAL") /* NoOp(${EVAL(${some_var_containing_SHELL})}) */
+ )) {
+ return 0;
+ }
+ return 1;
+}
/*! \brief Convert authority code to a list of options */
static const char *authority_to_str(int authority, struct ast_str **res)
@@ -3220,6 +3233,12 @@
return 0;
}
+ /* We don't want users with insufficient permissions using certain functions. */
+ if (!(function_capable_string_allowed_with_auths(varname, s->session->writeperm))) {
+ astman_send_error(s, m, "GetVar Access Forbidden: Variable");
+ return 0;
+ }
+
if (!ast_strlen_zero(name)) {
if (!(c = ast_channel_get_by_name(name))) {
astman_send_error(s, m, "No such channel");
@@ -3278,6 +3297,11 @@
snprintf(idText, sizeof(idText), "ActionID: %s\r\n", id);
} else {
idText[0] = '\0';
+ }
+
+ if (!(function_capable_string_allowed_with_auths(variables, s->session->writeperm))) {
+ astman_send_error(s, m, "Status Access Forbidden: Variables");
+ return 0;
}
if (all) {
@@ -4083,6 +4107,7 @@
}
if (!ast_strlen_zero(app)) {
+ int bad_appdata = 0;
/* To run the System application (or anything else that goes to
* shell), you must have the additional System privilege */
if (!(s->session->writeperm & EVENT_FLAG_SYSTEM)
@@ -4093,10 +4118,13 @@
TryExec(System(rm -rf /)) */
strcasestr(app, "agi") || /* AGI(/bin/rm,-rf /)
EAGI(/bin/rm,-rf /) */
- strstr(appdata, "SHELL") || /* NoOp(${SHELL(rm -rf /)}) */
- strstr(appdata, "EVAL") /* NoOp(${EVAL(${some_var_containing_SHELL})}) */
+ strcasestr(app, "mixmonitor") || /* MixMonitor(blah,,rm -rf) */
+ (strstr(appdata, "SHELL") && (bad_appdata = 1)) || /* NoOp(${SHELL(rm -rf /)}) */
+ (strstr(appdata, "EVAL") && (bad_appdata = 1)) /* NoOp(${EVAL(${some_var_containing_SHELL})}) */
)) {
- astman_send_error(s, m, "Originate with certain 'Application' arguments requires the additional System privilege, which you do not have.");
+ char error_buf[64];
+ snprintf(error_buf, sizeof(error_buf), "Originate Access Forbidden: %s", bad_appdata ? "Data" : "Application");
+ astman_send_error(s, m, error_buf);
res = 0;
goto fast_orig_cleanup;
}
More information about the asterisk-commits
mailing list