[asterisk-commits] bebuild: tag 1.8.16.0-rc2 r372845 - in /tags/1.8.16.0-rc2: ./ apps/ channels/...
SVN commits to the Asterisk project
asterisk-commits at lists.digium.com
Tue Sep 11 11:15:12 CDT 2012
Author: bebuild
Date: Tue Sep 11 11:15:05 2012
New Revision: 372845
URL: http://svnview.digium.com/svn/asterisk?view=rev&rev=372845
Log:
Commit changes for 1.8.16.0-rc2
* Updated ChangeLog
* Update version information
* Merge r371998 for ASTERISK-20132
* Merge r372015 for ASTERISK-20186
* Merge r372840 for ASTERISK-20335
* Merge r371860 for ASTERISK-20287
* Merge r372709 for ASTERISK-20194
Removed:
tags/1.8.16.0-rc2/asterisk-1.8.16.0-rc1-summary.html
tags/1.8.16.0-rc2/asterisk-1.8.16.0-rc1-summary.txt
Modified:
tags/1.8.16.0-rc2/ (props changed)
tags/1.8.16.0-rc2/.version
tags/1.8.16.0-rc2/ChangeLog
tags/1.8.16.0-rc2/README-SERIOUSLY.bestpractices.txt
tags/1.8.16.0-rc2/apps/app_dial.c
tags/1.8.16.0-rc2/channels/chan_iax2.c
tags/1.8.16.0-rc2/channels/sip/sdp_crypto.c
tags/1.8.16.0-rc2/main/features.c
tags/1.8.16.0-rc2/main/manager.c
Propchange: tags/1.8.16.0-rc2/
------------------------------------------------------------------------------
svn:mergeinfo = /branches/1.8:371860,371998,372015,372709,372840
Modified: tags/1.8.16.0-rc2/.version
URL: http://svnview.digium.com/svn/asterisk/tags/1.8.16.0-rc2/.version?view=diff&rev=372845&r1=372844&r2=372845
==============================================================================
--- tags/1.8.16.0-rc2/.version (original)
+++ tags/1.8.16.0-rc2/.version Tue Sep 11 11:15:05 2012
@@ -1,1 +1,1 @@
-1.8.16.0-rc1
+1.8.16.0-rc2
Modified: tags/1.8.16.0-rc2/ChangeLog
URL: http://svnview.digium.com/svn/asterisk/tags/1.8.16.0-rc2/ChangeLog?view=diff&rev=372845&r1=372844&r2=372845
==============================================================================
--- tags/1.8.16.0-rc2/ChangeLog (original)
+++ tags/1.8.16.0-rc2/ChangeLog Tue Sep 11 11:15:05 2012
@@ -1,3 +1,78 @@
+2012-09-11 Asterisk Development Team <asteriskteam at digium.com>
+
+ * Asterisk 1.8.16.0-rc2 Released.
+
+ * AST-2012-013: Resolve ACL rules being ignored during calls by some
+ IAX2 peers
+
+ * AST-2012-012: Resolve AMI User Unauthorized Shell Access through
+ ExternalIVR
+
+ * r371860: Fix hangup cause passthrough regression.
+
+ The v1.8 -r369258 change to fix the F and F(x) action logic
+ introduced a regression in passing the hangup cause from the called
+ channel to the caller channel.
+
+ (closes issue ASTERISK-20287)
+ Reported by: Konstantin Suvorov
+ Patches:
+ app_dial_hangupcause.patch (license #6421) patch uploaded by
+ Konstantin Suvorov (modified)
+ Tested by: rmudgett
+
+ * r372709: Only re-create an SRTP session when needed; respond with
+ correct crypto policy
+
+ In r356604, SRTP handling was fixed to accomodate multiple crypto
+ keys in an SDP offer and the ability to re-create an SRTP session
+ when the crypto keys changed. In certain circumstances - most
+ notably when a phone is put on hold after having been bridged for a
+ significant amount of time - the act of re-creating the SRTP session
+ causes problems for certain models of phones. The patch committed in
+ r356604 always re-created the SRTP session regardless of whether or
+ not the cryptographic keys changed. Since this is technically
+ not necessary, this patch modifies the behavior to only re-create the
+ SRTP session if Asterisk detects that the remote key has changed.
+ This allows models of phones that do not handle the SRTP session
+ changing to continue to work, while also providing the behavior
+ needed for those phones that do re-negotiate cryptographic keys.
+
+ In addition, in Asterisk 1.8 only, it was found that phones that
+ offer AES_CM_128_HMAC_SHA1_32 will end up with no audio if the phone
+ is the initiator of the call. The phone will send an INVITE request
+ specifying that AES_CM_128_HMAC_SHA1_32 be used for the cryptographic
+ policy; Asterisk will set its policy to that value. Unfortunately,
+ when the call is Answered and a 200 OK is sent back to the UA, the
+ policy sent in the response's SDP will be the hard coded value
+ AES_CM_128_HMAC_SHA1_80. This potentially results in Asterisk using
+ the INVITE request's policy of AES_CM_128_HMAC_SHA1_32, while the
+ phone uses Asterisk's response of AES_CM_128_HMAC_SHA1_80. Hilarity
+ ensues as both endpoints think the other is crazy.
+
+ This patch fixes that by caching the policy from the request and
+ responding with it. Note that this is not a problem in Asterisk 10
+ and later, as the ability to configure the policy was added in that
+ version.
+
+ (issue ASTERISK-20194)
+ Reported by: Nicolo Mazzon
+ Tested by: Nicolo Mazzon
+
+ Review: https://reviewboard.asterisk.org/r/2099
+
+ * r372840: Fix bad channel application data reference.
+
+ When channels get bridged due to an AMI bridge action
+ or a DTMF attended transfer, the two channels that
+ get bridged have their application data pointing to
+ the other channel's name. This means that if one channel
+ is hung up but the other moves on, it means that the
+ channel that moves on will have its application data
+ pointing at freed memory.
+
+ (issue ASTERISK-20335)
+
2012-07-31 Asterisk Development Team <asteriskteam at digium.com>
* Asterisk 1.8.16.0-rc1 Released.
Modified: tags/1.8.16.0-rc2/README-SERIOUSLY.bestpractices.txt
URL: http://svnview.digium.com/svn/asterisk/tags/1.8.16.0-rc2/README-SERIOUSLY.bestpractices.txt?view=diff&rev=372845&r1=372844&r2=372845
==============================================================================
--- tags/1.8.16.0-rc2/README-SERIOUSLY.bestpractices.txt (original)
+++ tags/1.8.16.0-rc2/README-SERIOUSLY.bestpractices.txt Tue Sep 11 11:15:05 2012
@@ -22,6 +22,9 @@
* Reducing Pattern Match Typos:
Using the 'same' prefix, or using Goto()
+
+* Manager Class Authorizations:
+ Recognizing potential issues with certain classes of authorization
----------------
Additional Links
@@ -293,3 +296,51 @@
exten => error,1,Verbose(2,Unable to lookup technology or device for extension)
same => n,Playback(silence/1&num-not-in-db)
same => n,Hangup()
+
+
+============================
+Manager Class Authorizations
+============================
+
+Manager accounts have associated class authorizations that define what actions
+and events that account can execute/receive. In order to run Asterisk commands
+or dialplan applications that affect the system Asterisk executes on, the
+"system" class authorization should be set on the account.
+
+However, Manager commands that originate new calls into the Asterisk dialplan
+have the potential to alter or affect the system as well, even though the
+class authorization for origination commands is "originate". Take, for example,
+the Originate manager command:
+
+Action: Originate
+Channel: SIP/foo
+Exten: s
+Context: default
+Priority: 1
+Application: System
+Data: echo hello world!
+
+This manager command will attempt to execute an Asterisk application, System,
+which is normally associated with the "system" class authorication. While some
+checks have been put into Asterisk to take this into account, certain dialplan
+configurations and/or clever manipulation of the Originate manager action can
+circumvent these checks. For example, take the following dialplan:
+
+exten => s,1,Verbose(Incoming call)
+same => n,MixMonitor(foo.wav,,${EXEC_COMMAND})
+same => n,Dial(SIP/bar)
+same => n,Hangup()
+
+Whatever has been defined in the variable EXEC_COMMAND will be executed after
+MixMonitor has finished recording the call. The dialplan writer may have
+intended that this variable to be set by some other location in the dialplan;
+however, the Manager action Originate allows for channel variables to be set by
+the account initiating the new call. This could allow the Originate action to
+execute some command on the system by setting the EXEC_COMMAND dialplan variable
+in the Variable: header.
+
+In general, you should treat the Manager class authorization "originate" the
+same as the class authorization "system". Good system configuration, such as
+not running Asterisk as root, can prevent serious problems from arising when
+allowing external connections to originate calls into Asterisk.
+
Modified: tags/1.8.16.0-rc2/apps/app_dial.c
URL: http://svnview.digium.com/svn/asterisk/tags/1.8.16.0-rc2/apps/app_dial.c?view=diff&rev=372845&r1=372844&r2=372845
==============================================================================
--- tags/1.8.16.0-rc2/apps/app_dial.c (original)
+++ tags/1.8.16.0-rc2/apps/app_dial.c Tue Sep 11 11:15:05 2012
@@ -2996,9 +2996,9 @@
/* The peer is now running its own PBX. */
goto out;
}
- } else {
- chan->hangupcause = peer->hangupcause;
- }
+ }
+ } else if (!ast_check_hangup(chan)) {
+ chan->hangupcause = peer->hangupcause;
}
ast_hangup(peer);
}
Modified: tags/1.8.16.0-rc2/channels/chan_iax2.c
URL: http://svnview.digium.com/svn/asterisk/tags/1.8.16.0-rc2/channels/chan_iax2.c?view=diff&rev=372845&r1=372844&r2=372845
==============================================================================
--- tags/1.8.16.0-rc2/channels/chan_iax2.c (original)
+++ tags/1.8.16.0-rc2/channels/chan_iax2.c Tue Sep 11 11:15:05 2012
@@ -7618,10 +7618,10 @@
i = ao2_iterator_init(users, 0);
while ((user = ao2_iterator_next(&i))) {
if ((ast_strlen_zero(iaxs[callno]->username) || /* No username specified */
- !strcmp(iaxs[callno]->username, user->name)) /* Or this username specified */
- && ast_apply_ha(user->ha, &addr) /* Access is permitted from this IP */
+ !strcmp(iaxs[callno]->username, user->name)) /* Or this username specified */
+ && ast_apply_ha(user->ha, &addr) == AST_SENSE_ALLOW /* Access is permitted from this IP */
&& (ast_strlen_zero(iaxs[callno]->context) || /* No context specified */
- apply_context(user->contexts, iaxs[callno]->context))) { /* Context is permitted */
+ apply_context(user->contexts, iaxs[callno]->context))) { /* Context is permitted */
if (!ast_strlen_zero(iaxs[callno]->username)) {
/* Exact match, stop right now. */
if (best)
@@ -7677,8 +7677,9 @@
user = best;
if (!user && !ast_strlen_zero(iaxs[callno]->username)) {
user = realtime_user(iaxs[callno]->username, sin);
- if (user && !ast_strlen_zero(iaxs[callno]->context) && /* No context specified */
- !apply_context(user->contexts, iaxs[callno]->context)) { /* Context is permitted */
+ if (user && (ast_apply_ha(user->ha, &addr) == AST_SENSE_DENY /* Access is denied from this IP */
+ || (!ast_strlen_zero(iaxs[callno]->context) && /* No context specified */
+ !apply_context(user->contexts, iaxs[callno]->context)))) { /* Context is permitted */
user = user_unref(user);
}
}
Modified: tags/1.8.16.0-rc2/channels/sip/sdp_crypto.c
URL: http://svnview.digium.com/svn/asterisk/tags/1.8.16.0-rc2/channels/sip/sdp_crypto.c?view=diff&rev=372845&r1=372844&r2=372845
==============================================================================
--- tags/1.8.16.0-rc2/channels/sip/sdp_crypto.c (original)
+++ tags/1.8.16.0-rc2/channels/sip/sdp_crypto.c Tue Sep 11 11:15:05 2012
@@ -49,6 +49,8 @@
char *a_crypto;
unsigned char local_key[SRTP_MASTER_LEN];
char local_key64[SRTP_MASTER_LEN64];
+ unsigned char remote_key[SRTP_MASTER_LEN];
+ char suite[64];
};
static int set_crypto_policy(struct ast_srtp_policy *policy, int suite_val, const unsigned char *master_key, unsigned long ssrc, int inbound);
@@ -257,11 +259,19 @@
return -1;
}
-
if ((key_len = ast_base64decode(remote_key, key_salt, sizeof(remote_key))) != SRTP_MASTER_LEN) {
- ast_log(LOG_WARNING, "SRTP sdescriptions key %d != %d\n", key_len, SRTP_MASTER_LEN);
- return -1;
- }
+ ast_log(LOG_WARNING, "SRTP descriptions key %d != %d\n", key_len, SRTP_MASTER_LEN);
+ return -1;
+ }
+
+ if (!memcmp(p->remote_key, remote_key, sizeof(p->remote_key))) {
+ ast_debug(1, "SRTP remote key unchanged; maintaining current policy\n");
+ return 0;
+ }
+
+ /* Set the accepted policy and remote key */
+ ast_copy_string(p->suite, suite, sizeof(p->suite));
+ memcpy(p->remote_key, remote_key, sizeof(p->remote_key));
if (sdp_crypto_activate(p, suite_val, remote_key, rtp) < 0) {
return -1;
@@ -280,13 +290,17 @@
int sdp_crypto_offer(struct sdp_crypto *p)
{
char crypto_buf[128];
- const char *crypto_suite = "AES_CM_128_HMAC_SHA1_80"; /* Crypto offer */
+
+ if (ast_strlen_zero(p->suite)) {
+ /* Default crypto offer */
+ strcpy(p->suite, "AES_CM_128_HMAC_SHA1_80");
+ }
if (p->a_crypto) {
ast_free(p->a_crypto);
}
- if (snprintf(crypto_buf, sizeof(crypto_buf), "a=crypto:1 %s inline:%s\r\n", crypto_suite, p->local_key64) < 1) {
+ if (snprintf(crypto_buf, sizeof(crypto_buf), "a=crypto:1 %s inline:%s\r\n", p->suite, p->local_key64) < 1) {
return -1;
}
Modified: tags/1.8.16.0-rc2/main/features.c
URL: http://svnview.digium.com/svn/asterisk/tags/1.8.16.0-rc2/main/features.c?view=diff&rev=372845&r1=372844&r2=372845
==============================================================================
--- tags/1.8.16.0-rc2/main/features.c (original)
+++ tags/1.8.16.0-rc2/main/features.c Tue Sep 11 11:15:05 2012
@@ -945,6 +945,33 @@
struct ast_channel *transferee, const char *type, format_t format, void *data,
int timeout, int *outstate, const char *language);
+static const struct ast_datastore_info channel_app_data_datastore = {
+ .type = "Channel appdata datastore",
+ .destroy = ast_free_ptr,
+};
+
+static int set_chan_app_data(struct ast_channel *chan, const char *src_app_data)
+{
+ struct ast_datastore *datastore;
+ char *dst_app_data;
+
+ datastore = ast_datastore_alloc(&channel_app_data_datastore, NULL);
+ if (!datastore) {
+ return -1;
+ }
+
+ dst_app_data = ast_malloc(strlen(src_app_data) + 1);
+ if (!dst_app_data) {
+ ast_datastore_free(datastore);
+ return -1;
+ }
+
+ chan->data = strcpy(dst_app_data, src_app_data);
+ datastore->data = dst_app_data;
+ ast_channel_datastore_add(chan, datastore);
+ return 0;
+}
+
/*!
* \brief bridge the call
* \param data thread bridge.
@@ -958,9 +985,13 @@
struct ast_bridge_thread_obj *tobj = data;
tobj->chan->appl = !tobj->return_to_pbx ? "Transferred Call" : "ManagerBridge";
- tobj->chan->data = tobj->peer->name;
+ if (set_chan_app_data(tobj->chan, tobj->peer->name)) {
+ tobj->chan->data = "(Empty)";
+ }
tobj->peer->appl = !tobj->return_to_pbx ? "Transferred Call" : "ManagerBridge";
- tobj->peer->data = tobj->chan->name;
+ if (set_chan_app_data(tobj->peer, tobj->chan->name)) {
+ tobj->peer->data = "(Empty)";
+ }
ast_bridge_call(tobj->peer, tobj->chan, &tobj->bconfig);
Modified: tags/1.8.16.0-rc2/main/manager.c
URL: http://svnview.digium.com/svn/asterisk/tags/1.8.16.0-rc2/main/manager.c?view=diff&rev=372845&r1=372844&r2=372845
==============================================================================
--- tags/1.8.16.0-rc2/main/manager.c (original)
+++ tags/1.8.16.0-rc2/main/manager.c Tue Sep 11 11:15:05 2012
@@ -4083,6 +4083,7 @@
strcasestr(app, "agi") || /* AGI(/bin/rm,-rf /)
EAGI(/bin/rm,-rf /) */
strcasestr(app, "mixmonitor") || /* MixMonitor(blah,,rm -rf) */
+ strcasestr(app, "externalivr") || /* ExternalIVR(rm -rf) */
(strstr(appdata, "SHELL") && (bad_appdata = 1)) || /* NoOp(${SHELL(rm -rf /)}) */
(strstr(appdata, "EVAL") && (bad_appdata = 1)) /* NoOp(${EVAL(${some_var_containing_SHELL})}) */
)) {
More information about the asterisk-commits
mailing list