[asterisk-dev] 'IAX2 call variable passing between servers '

Steven critch at basesys.com
Sat Jul 29 09:50:49 MST 2006


On Sat, 2006-07-29 at 16:32 +0100, Tim Panton wrote:
> On 29 Jul 2006, at 12:59, Tzafrir Cohen wrote:
> 
> > On Sat, Jul 29, 2006 at 09:19:28AM +0100, Tim Panton wrote:
> >
> >> When I said we could use url style values in the dial plan, I was
> >> thinking of having it work like this:
> >>
> >> dial(IAX2/mexuar/3?customer="JoeBob")
> >>
> >> Asterisk would strip ?customer="JoeBob" from the dial string before
> >> sending it.
> >> It would then add an (optional) InfoElement to the NEW frame with the
> >> variable name and value in it
> >>
> >> The receiving IAX would either ignore the extra InfoElement, or if it
> >> supported it, it would
> >> check to see if the variable existed, if not, create it and assign
> >> the value.
> >> (pre existing asterisks will ignore IEs they don't understand)
> >
> > One side point: would you really want to allow a remote server to
> > override any local variable you have? Shouldn't there be a separate
> > namespace (e.g: prefix) for variables that could be supplied by the
> > remote party?
> 
> No, I think it is simpler if the variables are in the same namespace,  
> we are
> all used to there being variables which just appear as the result of
> functions in a dialplan.
> 
> 
> I don't think sent variables should override existing local variables,
> hence the test to see if the variable already exists (see above).

I have only followed snippits of this thread, I may be repeating what
has come elsewhere in the thread.

Maybe you need to spend a little time reading up on why register global
was such a bad mistake in PHP. 

It doesn't matter if the variable exists, it is a bad idea to allow an
outside of your control app set variables in your machine in a way that
you don't know them as being from the outside.

For instance, if I knew just a little about the way you use your
dialplan, I could potentially short circuit my way around to using your
outbound lines without proper permision. 

Many people might code the dialplan in such a way as to check for
variable existence before setting because computing the value is
expensive enough to not try to set it over and over again. Another
option would be that you have to set the variable once because the
variables you base the descision on change after it is initially set. 

If you let variables from the outside to set variables in your normal
namespace, you could cause your descision making to go wrong.

Please think about larger issues than what is right in front of you.
Just because you are unlikely to get bit right now, you may later on.
And just as recent releases had to be made for security reasons, you
need to realise that asterisk is getting to be a big enough target such
that we need to be very aware of outside attacks to what is considered a
very important portion of most peoples orginization. 
-- 
Steven <critch at basesys.com>




More information about the asterisk-dev mailing list