[asterisk-dev] New manager action: CreateConfig
Benny Amorsen
benny+usenet at amorsen.dk
Tue Feb 12 12:36:36 CST 2008
Johansson Olle E <oej at edvina.net> writes:
> What happens if I use an argument of "../rc.conf" or "../passwd" ?
>
> I suggest we filter file name arguments for ".." and "/" in the
> arguments of all these configuration actions.
It's very hard to do this securely if users have permission to write
to the same directories. E.g. make sure that you always create new
files, never write to an existing file. (ln /etc/passwd foo,
asterisk writes to foo...) Symlinks are even worse, but easier to
detect.
/Benny
More information about the asterisk-dev
mailing list