[asterisk-commits] kharwell: branch certified-1.8.28 r428393 - in /certified/branches/1.8.28: ./...

[SVN commits to the Asterisk project]

Author: kharwell
Date: Thu Nov 20 10:29:12 2014
New Revision: 428393

URL: http://svnview.digium.com/svn/asterisk?view=rev&rev=428393
Log:
AST-2014-018 - func_db: DB Dialplan function permission escalation via AMI.

The DB dialplan function when executed from an external protocol (for instance
AMI), could result in a privilege escalation.

Asterisk now inhibits the DB function from being executed from an external
interface if the live_dangerously option is set to no.

ASTERISK-24534
Reported by: Gareth Palmer
patches: submitted by Gareth Palmer (license 5169)
........

Merged revisions 428331 from http://svn.asterisk.org/svn/asterisk/branches/1.8

Modified:
    certified/branches/1.8.28/   (props changed)
    certified/branches/1.8.28/funcs/func_db.c

Propchange: certified/branches/1.8.28/
------------------------------------------------------------------------------
--- branch-1.8-merged (original)
+++ branch-1.8-merged Thu Nov 20 10:29:12 2014
@@ -1,1 +1,1 @@
-/branches/1.8:1-415260,415841,416066,419630,420434,425985
+/branches/1.8:1-415260,415841,416066,419630,420434,425985,428331

Modified: certified/branches/1.8.28/funcs/func_db.c
URL: http://svnview.digium.com/svn/asterisk/certified/branches/1.8.28/funcs/func_db.c?view=diff&rev=428393&r1=428392&r2=428393
==============================================================================
--- certified/branches/1.8.28/funcs/func_db.c (original)
+++ certified/branches/1.8.28/funcs/func_db.c Thu Nov 20 10:29:12 2014
@@ -282,7 +282,7 @@
 {
 	int res = 0;
 
-	res |= ast_custom_function_register(&db_function);
+	res |= ast_custom_function_register_escalating(&db_function, AST_CFE_BOTH);
 	res |= ast_custom_function_register(&db_exists_function);
 	res |= ast_custom_function_register_escalating(&db_delete_function, AST_CFE_READ);