[asterisk-dev] New manager action: CreateConfig
Tzafrir Cohen
tzafrir.cohen at xorcom.com
Tue Feb 12 12:10:50 CST 2008
On Tue, Feb 12, 2008 at 05:39:43PM +0100, Johansson Olle E wrote:
>
> 12 feb 2008 kl. 17.10 skrev Tzafrir Cohen:
>
> > On Tue, Feb 12, 2008 at 04:16:48PM +0100, Johansson Olle E wrote:
> >> What happens if I use an argument of "../rc.conf" or "../passwd" ?
> >>
> >> I suggest we filter file name arguments for ".." and "/" in the
> >> arguments of all these configuration actions.
> >
> > You assume the user did not run:
> >
> > System(ln -s / /etc/asterisk/rootdir)
> >
> > Running Asterisk as root is bad for your health.
>
>
> Well, I won't disagree. But that's not a good reason for adding new
> holes, is it?
Asterisk can today write practically arbitrary data to an arbitrary file
through recording.
--
Tzafrir Cohen
icq#16849755 jabber:tzafrir.cohen at xorcom.com
+972-50-7952406 mailto:tzafrir.cohen at xorcom.com
http://www.xorcom.com iax:guest at local.xorcom.com/tzafrir
More information about the asterisk-dev
mailing list