[asterisk-dev] AEL security

Philipp Kempgen philipp.kempgen at amooma.de
Mon Mar 19 04:32:46 MST 2007


Philipp Kempgen wrote:

> Sergey Okhapkin wrote:
> 
>> AEL needs to use extensions when compiling "switch" statement, asterisk 
>> extensions pattern match is being used for "default" case.
>>
>> On Monday 19 March 2007 06:39, Philipp Kempgen wrote:
>>> Philipp Kempgen wrote:
>>>> It seems like AEL compiles labels into extensions.
>>>> So a users could directly dial to a label which seems
>>>> like a security risk to me. Am I missing something?
>>> Need to correct myself: AEL compiles the cases in a switch
>>> block into extensions. Labels remain untouched. But that
>>> doesn't make it any better.
> 
> Features are not an excuse for weak security. :P

And although it is implemented this way the AEL compiler could
use something like this for the default case:

exten => 123,n,GotoIf($["${switchvar}" = "BUSY"]?user_busy)
exten => 123,n,GotoIf($["${switchvar}" = "NOANSWER"]?user_unavail)
exten => 123,n,Goto(default)


Regards,
  Philipp

-- 
amooma GmbH - Bachstr. 126 - 56566 Neuwied - http://www.amooma.de
     Let's use IT to solve problems and not to create new ones.
           Asterisk? -> http://www.das-asterisk-buch.de

Geschäftsführer: Stefan Wintermeyer
Handelsregister: Neuwied B 14998


More information about the asterisk-dev mailing list