[asterisk-commits] bebuild: tag 10.8.0-digiumphones-rc2 r372869 - in /tags/10.8.0-digiumphones-r...

SVN commits to the Asterisk project asterisk-commits at lists.digium.com
Tue Sep 11 12:21:33 CDT 2012


Author: bebuild
Date: Tue Sep 11 12:21:28 2012
New Revision: 372869

URL: http://svnview.digium.com/svn/asterisk?view=rev&rev=372869
Log:
Commit changes for 10.8.0-digiumphones-rc2

* Updated ChangeLog
* Update version information
* Merge r371999 for ASTERISK-20132
* Merge r372020 for ASTERISK-20186
* Merge r372841 for ASTERISK-20335
* Merge r371861 for ASTERISK-20287
* Merge r372710 for ASTERISK-20194

Removed:
    tags/10.8.0-digiumphones-rc2/asterisk-10.8.0-digiumphones-rc1-summary.html
    tags/10.8.0-digiumphones-rc2/asterisk-10.8.0-digiumphones-rc1-summary.txt
Modified:
    tags/10.8.0-digiumphones-rc2/   (props changed)
    tags/10.8.0-digiumphones-rc2/.version
    tags/10.8.0-digiumphones-rc2/ChangeLog
    tags/10.8.0-digiumphones-rc2/README-SERIOUSLY.bestpractices.txt
    tags/10.8.0-digiumphones-rc2/apps/app_dial.c
    tags/10.8.0-digiumphones-rc2/channels/chan_iax2.c
    tags/10.8.0-digiumphones-rc2/channels/sip/sdp_crypto.c
    tags/10.8.0-digiumphones-rc2/main/features.c
    tags/10.8.0-digiumphones-rc2/main/manager.c

Propchange: tags/10.8.0-digiumphones-rc2/
------------------------------------------------------------------------------
Binary property 'branch-1.8-merged' - no diff available.

Propchange: tags/10.8.0-digiumphones-rc2/
------------------------------------------------------------------------------
    svn:mergeinfo = /branches/10:371861,371999,372020,372710,372841,372861

Modified: tags/10.8.0-digiumphones-rc2/.version
URL: http://svnview.digium.com/svn/asterisk/tags/10.8.0-digiumphones-rc2/.version?view=diff&rev=372869&r1=372868&r2=372869
==============================================================================
--- tags/10.8.0-digiumphones-rc2/.version (original)
+++ tags/10.8.0-digiumphones-rc2/.version Tue Sep 11 12:21:28 2012
@@ -1,1 +1,1 @@
-10.8.0-digiumphones-rc1
+10.8.0-digiumphones-rc2

Modified: tags/10.8.0-digiumphones-rc2/ChangeLog
URL: http://svnview.digium.com/svn/asterisk/tags/10.8.0-digiumphones-rc2/ChangeLog?view=diff&rev=372869&r1=372868&r2=372869
==============================================================================
--- tags/10.8.0-digiumphones-rc2/ChangeLog (original)
+++ tags/10.8.0-digiumphones-rc2/ChangeLog Tue Sep 11 12:21:28 2012
@@ -1,3 +1,61 @@
+2012-09-11  Asterisk Development Team <asteriskteam at digium.com>
+
+	* Asterisk 10.8.0-digiumphones-rc2 Released.
+
+	* AST-2012-013: Resolve ACL rules being ignored during calls by some
+	  IAX2 peers
+
+	* AST-2012-012: Resolve AMI User Unauthorized Shell Access through
+	  ExternalIVR
+
+	* r371861: Fix hangup cause passthrough regression.
+
+	  The v1.8 -r369258 change to fix the F and F(x) action logic
+	  introduced a regression in passing the hangup cause from the called
+	  channel to the caller channel.
+
+	  (closes issue ASTERISK-20287)
+	  Reported by: Konstantin Suvorov
+	  Patches:
+	      app_dial_hangupcause.patch (license #6421) patch uploaded by
+	      Konstantin Suvorov (modified)
+	      Tested by: rmudgett
+
+	* r372710: Only re-create an SRTP session when needed; respond with
+	  correct crypto policy
+
+	  In r356604, SRTP handling was fixed to accomodate multiple crypto
+	  keys in an SDP offer and the ability to re-create an SRTP session
+	  when the crypto keys changed. In certain circumstances - most
+	  notably when a phone is put on hold after having been bridged for a
+	  significant amount of time - the act of re-creating the SRTP session
+	  causes problems for certain models of	phones.	The patch committed in
+	  r356604 always re-created the SRTP session regardless	of whether or
+	  not the cryptographic keys changed. Since this is technically
+	  not necessary, this patch modifies the behavior to only re-create the
+	  SRTP session if Asterisk detects that the remote key has changed.
+	  This allows models of phones that do not handle the SRTP session
+	  changing to continue to work, while also providing the behavior
+	  needed for those phones that do re-negotiate cryptographic keys.
+
+	  (issue ASTERISK-20194)
+	  Reported by: Nicolo Mazzon
+	  Tested by: Nicolo Mazzon
+
+	  Review: https://reviewboard.asterisk.org/r/2099
+
+	* r372841: Fix bad channel application data reference.
+
+	  When channels get bridged due to an AMI bridge action
+	  or a DTMF attended transfer, the two channels that
+	  get bridged have their application data pointing to
+	  the other channel's name. This means that if one channel
+	  is hung up but the other moves on, it means that the
+	  channel that moves on will have its application data
+	  pointing at freed memory.
+
+	  (issue ASTERISK-20335)
+
 2012-07-31  Asterisk Development Team <asteriskteam at digium.com>
 
 	* Asterisk 10.8.0-digiumphones-rc1 Released.

Modified: tags/10.8.0-digiumphones-rc2/README-SERIOUSLY.bestpractices.txt
URL: http://svnview.digium.com/svn/asterisk/tags/10.8.0-digiumphones-rc2/README-SERIOUSLY.bestpractices.txt?view=diff&rev=372869&r1=372868&r2=372869
==============================================================================
--- tags/10.8.0-digiumphones-rc2/README-SERIOUSLY.bestpractices.txt (original)
+++ tags/10.8.0-digiumphones-rc2/README-SERIOUSLY.bestpractices.txt Tue Sep 11 12:21:28 2012
@@ -22,6 +22,9 @@
 
 * Reducing Pattern Match Typos: 
         Using the 'same' prefix, or using Goto()
+
+* Manager Class Authorizations:
+        Recognizing potential issues with certain classes of authorization
 
 ----------------
 Additional Links
@@ -293,3 +296,51 @@
 exten => error,1,Verbose(2,Unable to lookup technology or device for extension)
 same => n,Playback(silence/1&num-not-in-db)
 same => n,Hangup()
+
+
+============================
+Manager Class Authorizations
+============================
+
+Manager accounts have associated class authorizations that define what actions
+and events that account can execute/receive.  In order to run Asterisk commands
+or dialplan applications that affect the system Asterisk executes on, the
+"system" class authorization should be set on the account.
+
+However, Manager commands that originate new calls into the Asterisk dialplan
+have the potential to alter or affect the system as well, even though the
+class authorization for origination commands is "originate".  Take, for example,
+the Originate manager command:
+
+Action: Originate
+Channel: SIP/foo
+Exten: s
+Context: default
+Priority: 1
+Application: System
+Data: echo hello world!
+
+This manager command will attempt to execute an Asterisk application, System,
+which is normally associated with the "system" class authorication.  While some
+checks have been put into Asterisk to take this into account, certain dialplan
+configurations and/or clever manipulation of the Originate manager action can
+circumvent these checks.  For example, take the following dialplan:
+
+exten => s,1,Verbose(Incoming call)
+same => n,MixMonitor(foo.wav,,${EXEC_COMMAND})
+same => n,Dial(SIP/bar)
+same => n,Hangup()
+
+Whatever has been defined in the variable EXEC_COMMAND will be executed after
+MixMonitor has finished recording the call.  The dialplan writer may have
+intended that this variable to be set by some other location in the dialplan;
+however, the Manager action Originate allows for channel variables to be set by
+the account initiating the new call.  This could allow the Originate action to
+execute some command on the system by setting the EXEC_COMMAND dialplan variable
+in the Variable: header.
+
+In general, you should treat the Manager class authorization "originate" the
+same as the class authorization "system".  Good system configuration, such as
+not running Asterisk as root, can prevent serious problems from arising when
+allowing external connections to originate calls into Asterisk.
+

Modified: tags/10.8.0-digiumphones-rc2/apps/app_dial.c
URL: http://svnview.digium.com/svn/asterisk/tags/10.8.0-digiumphones-rc2/apps/app_dial.c?view=diff&rev=372869&r1=372868&r2=372869
==============================================================================
--- tags/10.8.0-digiumphones-rc2/apps/app_dial.c (original)
+++ tags/10.8.0-digiumphones-rc2/apps/app_dial.c Tue Sep 11 12:21:28 2012
@@ -2996,9 +2996,9 @@
 					/* The peer is now running its own PBX. */
 					goto out;
 				}
-			} else {
-				chan->hangupcause = peer->hangupcause;
-			}
+			}
+		} else if (!ast_check_hangup(chan)) {
+			chan->hangupcause = peer->hangupcause;
 		}
 		ast_hangup(peer);
 	}

Modified: tags/10.8.0-digiumphones-rc2/channels/chan_iax2.c
URL: http://svnview.digium.com/svn/asterisk/tags/10.8.0-digiumphones-rc2/channels/chan_iax2.c?view=diff&rev=372869&r1=372868&r2=372869
==============================================================================
--- tags/10.8.0-digiumphones-rc2/channels/chan_iax2.c (original)
+++ tags/10.8.0-digiumphones-rc2/channels/chan_iax2.c Tue Sep 11 12:21:28 2012
@@ -7725,10 +7725,10 @@
 	i = ao2_iterator_init(users, 0);
 	while ((user = ao2_iterator_next(&i))) {
 		if ((ast_strlen_zero(iaxs[callno]->username) ||				/* No username specified */
-			!strcmp(iaxs[callno]->username, user->name))	/* Or this username specified */
-			&& ast_apply_ha(user->ha, &addr) 	/* Access is permitted from this IP */
+			!strcmp(iaxs[callno]->username, user->name))			/* Or this username specified */
+			&& ast_apply_ha(user->ha, &addr) == AST_SENSE_ALLOW		/* Access is permitted from this IP */
 			&& (ast_strlen_zero(iaxs[callno]->context) ||			/* No context specified */
-			     apply_context(user->contexts, iaxs[callno]->context))) {			/* Context is permitted */
+				apply_context(user->contexts, iaxs[callno]->context))) {			/* Context is permitted */
 			if (!ast_strlen_zero(iaxs[callno]->username)) {
 				/* Exact match, stop right now. */
 				if (best)
@@ -7784,8 +7784,9 @@
 	user = best;
 	if (!user && !ast_strlen_zero(iaxs[callno]->username)) {
 		user = realtime_user(iaxs[callno]->username, sin);
-		if (user && !ast_strlen_zero(iaxs[callno]->context) &&			/* No context specified */
-		    !apply_context(user->contexts, iaxs[callno]->context)) {		/* Context is permitted */
+		if (user && (ast_apply_ha(user->ha, &addr) == AST_SENSE_DENY		/* Access is denied from this IP */
+			|| (!ast_strlen_zero(iaxs[callno]->context) &&					/* No context specified */
+				!apply_context(user->contexts, iaxs[callno]->context)))) {	/* Context is permitted */
 			user = user_unref(user);
 		}
 	}

Modified: tags/10.8.0-digiumphones-rc2/channels/sip/sdp_crypto.c
URL: http://svnview.digium.com/svn/asterisk/tags/10.8.0-digiumphones-rc2/channels/sip/sdp_crypto.c?view=diff&rev=372869&r1=372868&r2=372869
==============================================================================
--- tags/10.8.0-digiumphones-rc2/channels/sip/sdp_crypto.c (original)
+++ tags/10.8.0-digiumphones-rc2/channels/sip/sdp_crypto.c Tue Sep 11 12:21:28 2012
@@ -50,6 +50,7 @@
 	char *a_crypto;
 	unsigned char local_key[SRTP_MASTER_LEN];
 	char local_key64[SRTP_MASTER_LEN64];
+	unsigned char remote_key[SRTP_MASTER_LEN];
 };
 
 static int set_crypto_policy(struct ast_srtp_policy *policy, int suite_val, const unsigned char *master_key, unsigned long ssrc, int inbound);
@@ -260,11 +261,16 @@
 		return -1;
 	}
 
-
 	if ((key_len = ast_base64decode(remote_key, key_salt, sizeof(remote_key))) != SRTP_MASTER_LEN) {
-		ast_log(LOG_WARNING, "SRTP sdescriptions key %d != %d\n", key_len, SRTP_MASTER_LEN);
-		return -1;
-	}
+		ast_log(LOG_WARNING, "SRTP descriptions key %d != %d\n", key_len, SRTP_MASTER_LEN);
+		return -1;
+	}
+
+	if (!memcmp(p->remote_key, remote_key, sizeof(p->remote_key))) {
+		ast_debug(1, "SRTP remote key unchanged; maintaining current policy\n");
+		return 0;
+	}
+	memcpy(p->remote_key, remote_key, sizeof(p->remote_key));
 
 	if (sdp_crypto_activate(p, suite_val, remote_key, rtp) < 0) {
 		return -1;

Modified: tags/10.8.0-digiumphones-rc2/main/features.c
URL: http://svnview.digium.com/svn/asterisk/tags/10.8.0-digiumphones-rc2/main/features.c?view=diff&rev=372869&r1=372868&r2=372869
==============================================================================
--- tags/10.8.0-digiumphones-rc2/main/features.c (original)
+++ tags/10.8.0-digiumphones-rc2/main/features.c Tue Sep 11 12:21:28 2012
@@ -957,6 +957,33 @@
 	struct ast_channel *transferee, const char *type, struct ast_format_cap *cap, void *data,
 	int timeout, int *outstate, const char *language);
 
+static const struct ast_datastore_info channel_app_data_datastore = {
+	.type = "Channel appdata datastore",
+	.destroy = ast_free_ptr,
+};
+
+static int set_chan_app_data(struct ast_channel *chan, const char *src_app_data)
+{
+	struct ast_datastore *datastore;
+	char *dst_app_data;
+
+	datastore = ast_datastore_alloc(&channel_app_data_datastore, NULL);
+	if (!datastore) {
+		return -1;
+	}
+
+	dst_app_data = ast_malloc(strlen(src_app_data) + 1);
+	if (!dst_app_data) {
+		ast_datastore_free(datastore);
+		return -1;
+	}
+
+	chan->data = strcpy(dst_app_data, src_app_data);
+	datastore->data = dst_app_data;
+	ast_channel_datastore_add(chan, datastore);
+	return 0;
+}
+
 /*!
  * \brief bridge the call 
  * \param data thread bridge.
@@ -970,9 +997,13 @@
 	struct ast_bridge_thread_obj *tobj = data;
 
 	tobj->chan->appl = !tobj->return_to_pbx ? "Transferred Call" : "ManagerBridge";
-	tobj->chan->data = tobj->peer->name;
+	if (set_chan_app_data(tobj->chan, tobj->peer->name)) {
+		tobj->chan->data = "(Empty)";
+	}
 	tobj->peer->appl = !tobj->return_to_pbx ? "Transferred Call" : "ManagerBridge";
-	tobj->peer->data = tobj->chan->name;
+	if (set_chan_app_data(tobj->peer, tobj->chan->name)) {
+		tobj->peer->data = "(Empty)";
+	}
 
 	ast_bridge_call(tobj->peer, tobj->chan, &tobj->bconfig);
 

Modified: tags/10.8.0-digiumphones-rc2/main/manager.c
URL: http://svnview.digium.com/svn/asterisk/tags/10.8.0-digiumphones-rc2/main/manager.c?view=diff&rev=372869&r1=372868&r2=372869
==============================================================================
--- tags/10.8.0-digiumphones-rc2/main/manager.c (original)
+++ tags/10.8.0-digiumphones-rc2/main/manager.c Tue Sep 11 12:21:28 2012
@@ -4142,6 +4142,7 @@
 				strcasestr(app, "agi") ||         /* AGI(/bin/rm,-rf /)
 				                                     EAGI(/bin/rm,-rf /)       */
 				strcasestr(app, "mixmonitor") ||  /* MixMonitor(blah,,rm -rf)  */
+				strcasestr(app, "externalivr") || /* ExternalIVR(rm -rf)       */
 				(strstr(appdata, "SHELL") && (bad_appdata = 1)) ||       /* NoOp(${SHELL(rm -rf /)})  */
 				(strstr(appdata, "EVAL") && (bad_appdata = 1))           /* NoOp(${EVAL(${some_var_containing_SHELL})}) */
 				)) {




More information about the asterisk-commits mailing list