[asterisk-commits] jrose: branch certified-11.6 r415842 - in /certified/branches/11.6: ./ apps/

SVN commits to the Asterisk project asterisk-commits at lists.digium.com
Thu Jun 12 11:06:54 CDT 2014 

Author: jrose
Date: Thu Jun 12 11:06:51 2014
New Revision: 415842

URL: http://svnview.digium.com/svn/asterisk?view=rev&rev=415842
Log:
MixMonitor: Add class authorization requirements to MixMonitor AMI commands

MixMonitor AMI commands StartMixMonitor and StopMixMonitor lacked class
authorization. StopMixMonitor now requires that the manager user either have
the call or system class authorization. StartMixMonitor is a slightly larger
issue since it can execute shell commands if the right arguments are passed
into it, and we consider this a permission escalation. A security release
will be issued for problem this shortly.

ASTERISK-23609 #close
Reported by: Corey Farrell

........

Merged revisions 415837 from http://svn.asterisk.org/svn/asterisk/branches/11


Modified:
    certified/branches/11.6/   (props changed)
    certified/branches/11.6/UPGRADE.txt
    certified/branches/11.6/apps/app_mixmonitor.c

Propchange: certified/branches/11.6/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Thu Jun 12 11:06:51 2014
@@ -1,2 +1,2 @@
-/branches/11:399513,401167,401179,401182
+/branches/11:399513,401167,401179,401182,415825
 /certified/branches/1.8.15:382389

Modified: certified/branches/11.6/UPGRADE.txt
URL: http://svnview.digium.com/svn/asterisk/certified/branches/11.6/UPGRADE.txt?view=diff&rev=415842&r1=415841&r2=415842
==============================================================================
--- certified/branches/11.6/UPGRADE.txt (original)
+++ certified/branches/11.6/UPGRADE.txt Thu Jun 12 11:06:51 2014
@@ -19,6 +19,12 @@
 === UPGRADE-10.txt -- Upgrade info for 1.8 to 10
 ===
 ===========================================================
+
+From 11.6-cert1 to 11.6-cert3:
+* MixMonitor AMI actions now require users to have authorization classes.
+  * MixMonitor - system
+  * MixMonitorMute - call or system
+  * StopMixMonitor - call or system
 
 From 11.6 to 11.6-cert1:
 * Certain dialplan functions have been marked as 'dangerous', and may only be

Modified: certified/branches/11.6/apps/app_mixmonitor.c
URL: http://svnview.digium.com/svn/asterisk/certified/branches/11.6/apps/app_mixmonitor.c?view=diff&rev=415842&r1=415841&r2=415842
==============================================================================
--- certified/branches/11.6/apps/app_mixmonitor.c (original)
+++ certified/branches/11.6/apps/app_mixmonitor.c Thu Jun 12 11:06:51 2014
@@ -1376,9 +1376,9 @@
 	ast_cli_register_multiple(cli_mixmonitor, ARRAY_LEN(cli_mixmonitor));
 	res = ast_register_application_xml(app, mixmonitor_exec);
 	res |= ast_register_application_xml(stop_app, stop_mixmonitor_exec);
-	res |= ast_manager_register_xml("MixMonitorMute", 0, manager_mute_mixmonitor);
-	res |= ast_manager_register_xml("MixMonitor", 0, manager_mixmonitor);
-	res |= ast_manager_register_xml("StopMixMonitor", 0, manager_stop_mixmonitor);
+	res |= ast_manager_register_xml("MixMonitorMute", EVENT_FLAG_SYSTEM | EVENT_FLAG_CALL, manager_mute_mixmonitor);
+	res |= ast_manager_register_xml("MixMonitor", EVENT_FLAG_SYSTEM, manager_mixmonitor);
+	res |= ast_manager_register_xml("StopMixMonitor", EVENT_FLAG_SYSTEM | EVENT_FLAG_CALL, manager_stop_mixmonitor);
 
 	return res;
 }

More information about the asterisk-commits mailing list