[asterisk-commits] jrose: trunk r415834 - in /trunk: ./ UPGRADE.txt apps/app_mixmonitor.c

SVN commits to the Asterisk project asterisk-commits at lists.digium.com
Thu Jun 12 10:39:54 CDT 2014 

Author: jrose
Date: Thu Jun 12 10:39:52 2014
New Revision: 415834

URL: http://svnview.digium.com/svn/asterisk?view=rev&rev=415834
Log:
MixMontior: Add class authorization requirements to MixMonitor AMI commands

MixMonitor AMI commands StartMixMonitor and StopMixMonitor lacked class
authorization. StopMixMonitor now requires that the manager user either have
the call or system class authorization. StartMixMonitor is a slightly larger
issue since it can execute shell commands if the right arguments are passed
into it, and we consider this a permission escalation. A security release
will be issued for problem this shortly.

ASTERISK-23609 #close
Reported by: Corey Farrell

........

Merged revisions 415825 from http://svn.asterisk.org/svn/asterisk/branches/11
........

Merged revisions 415832 from http://svn.asterisk.org/svn/asterisk/branches/12

Modified:
    trunk/   (props changed)
    trunk/UPGRADE.txt
    trunk/apps/app_mixmonitor.c

Propchange: trunk/
------------------------------------------------------------------------------
Binary property 'branch-12-merged' - no diff available.

Modified: trunk/UPGRADE.txt
URL: http://svnview.digium.com/svn/asterisk/trunk/UPGRADE.txt?view=diff&rev=415834&r1=415833&r2=415834
==============================================================================
--- trunk/UPGRADE.txt (original)
+++ trunk/UPGRADE.txt Thu Jun 12 10:39:52 2014
@@ -102,6 +102,11 @@
    ConfbridgeMute, ConfbridgeUnmute, ConfbridgeTalking, BlindTransfer,
    AttendedTransfer, BridgeCreate, BridgeDestroy, BridgeEnter, BridgeLeave
 
+ - MixMonitor AMI actions now require users to have authorization classes.
+   * MixMonitor - system
+   * MixMonitorMute - call or system
+   * StopMixMonitor - call or system
+
 CDRs:
  - The "endbeforehexten" setting now defaults to "yes", instead of "no".
    When set to "no", yhis setting will cause a new CDR to be generated when a

Modified: trunk/apps/app_mixmonitor.c
URL: http://svnview.digium.com/svn/asterisk/trunk/apps/app_mixmonitor.c?view=diff&rev=415834&r1=415833&r2=415834
==============================================================================
--- trunk/apps/app_mixmonitor.c (original)
+++ trunk/apps/app_mixmonitor.c Thu Jun 12 10:39:52 2014
@@ -1518,9 +1518,9 @@
 	ast_cli_register_multiple(cli_mixmonitor, ARRAY_LEN(cli_mixmonitor));
 	res = ast_register_application_xml(app, mixmonitor_exec);
 	res |= ast_register_application_xml(stop_app, stop_mixmonitor_exec);
-	res |= ast_manager_register_xml("MixMonitorMute", 0, manager_mute_mixmonitor);
-	res |= ast_manager_register_xml("MixMonitor", 0, manager_mixmonitor);
-	res |= ast_manager_register_xml("StopMixMonitor", 0, manager_stop_mixmonitor);
+	res |= ast_manager_register_xml("MixMonitorMute", EVENT_FLAG_SYSTEM | EVENT_FLAG_CALL, manager_mute_mixmonitor);
+	res |= ast_manager_register_xml("MixMonitor", EVENT_FLAG_SYSTEM, manager_mixmonitor);
+	res |= ast_manager_register_xml("StopMixMonitor", EVENT_FLAG_SYSTEM | EVENT_FLAG_CALL, manager_stop_mixmonitor);
 	res |= ast_custom_function_register(&mixmonitor_function);
 	res |= set_mixmonitor_methods();

More information about the asterisk-commits mailing list