[asterisk-dev] Dialplan oddities with recent Asterisk ?
Olle E. Johansson
oej at edvina.net
Tue Feb 9 02:43:01 CST 2010
9 feb 2010 kl. 09.31 skrev Hans Petter Selasky:
> Hi,
>
> I'm just asking if it is possible to insert commands into the dialplan of
> Asterisk? For example:
>
> extensions.conf:
>
> [from_sip]
>
> exten => _X.,1,Dial(SIP/${EXTEN}@testsip)
>
> And if ${EXTEN} = "000 at testsip&SIP/333" what turns out to happen then is
> similar to SQL injection :-(
>
> I've noticed that incoming phone numbers in chan_sip.c are only strdup'ed.
> Many years ago I wrote in my ISDN4BSD software, that people that don't filter
> incoming digits should not program PBX software :-) Does Asterisk have any
> filtering of the destination extension by default?
>
> I was not able to reproduce the issue on a vanilla Asterisk, because I found
> it hard to send the "&" character in the destination number, because it was
> always interpreted by the Dial command. But by modifying chan_sip.c, to send
> this character I was able to do some strange things :-(
>
> Any comments?
That's an interesting catch. We should propably have a small dialplan function that checks for these patterns.
I don't want to embed rulesets in the channel - it has to follow the specs and do what it's supposed to do.
/O
More information about the asterisk-dev
mailing list