[asterisk-dev] Dialplan oddities with recent Asterisk ?

Olle E. Johansson oej at edvina.net
Tue Feb 9 02:43:01 CST 2010


9 feb 2010 kl. 09.31 skrev Hans Petter Selasky:

> Hi,
> 
> I'm just asking if it is possible to insert commands into the dialplan of 
> Asterisk? For example:
> 
> extensions.conf:
> 
> [from_sip]
> 
> exten => _X.,1,Dial(SIP/${EXTEN}@testsip)
> 
> And if ${EXTEN} = "000 at testsip&SIP/333" what turns out to happen then is 
> similar to SQL injection :-(
> 
> I've noticed that incoming phone numbers in chan_sip.c are only strdup'ed. 
> Many years ago I wrote in my ISDN4BSD software, that people that don't filter 
> incoming digits should not program PBX software :-) Does Asterisk have any 
> filtering of the destination extension by default?
> 
> I was not able to reproduce the issue on a vanilla Asterisk, because I found 
> it hard to send the "&" character in the destination number, because it was 
> always interpreted by the Dial command. But by modifying chan_sip.c, to send 
> this character I was able to do some strange things :-(
> 
> Any comments?

That's an interesting catch. We should propably have a small dialplan function that checks for these patterns.
I don't want to embed rulesets in the channel - it has to follow the specs and do what it's supposed to do.

/O


More information about the asterisk-dev mailing list