[asterisk-dev] Dialplan oddities with recent Asterisk ?
Klaus Darilion
klaus.mailinglists at pernau.at
Tue Feb 9 06:09:10 CST 2010
Am 09.02.2010 09:43, schrieb Olle E. Johansson:
>
> 9 feb 2010 kl. 09.31 skrev Hans Petter Selasky:
>
>> Hi,
>>
>> I'm just asking if it is possible to insert commands into the dialplan of
>> Asterisk? For example:
>>
>> extensions.conf:
>>
>> [from_sip]
>>
>> exten => _X.,1,Dial(SIP/${EXTEN}@testsip)
>>
>> And if ${EXTEN} = "000 at testsip&SIP/333" what turns out to happen then is
>> similar to SQL injection :-(
>>
>> I've noticed that incoming phone numbers in chan_sip.c are only strdup'ed.
>> Many years ago I wrote in my ISDN4BSD software, that people that don't filter
>> incoming digits should not program PBX software :-) Does Asterisk have any
>> filtering of the destination extension by default?
>>
>> I was not able to reproduce the issue on a vanilla Asterisk, because I found
>> it hard to send the "&" character in the destination number, because it was
>> always interpreted by the Dial command. But by modifying chan_sip.c, to send
>> this character I was able to do some strange things :-(
>>
>> Any comments?
>
> That's an interesting catch. We should propably have a small dialplan function that checks for these patterns.
> I don't want to embed rulesets in the channel - it has to follow the specs and do what it's supposed to do.
Indeed interesting. We could fix this by having better pattern. E.g. '.'
and '!' unfortunately accept all characters. We would need something
like in regexps, e.g: _+4312345[0-9]*
Another approach would be a configurable whitelist or blacklist for
extension characters somewhere in core.
regards
klaus
More information about the asterisk-dev
mailing list