[asterisk-dev] Dialplan oddities with recent Asterisk ?
Benny Amorsen
benny+usenet at amorsen.dk
Tue Feb 9 14:24:04 CST 2010
Pavel Troller <patrol at sinus.cz> writes:
> I was looking at the Filter() function and it seems that I would like
> an inverse implementation - not to pass allowed characters only, but to
> filter out disallowed ones - for example, I would like to permit a large
> number of various characters in the dial string, but definitively to filter
> out '&' and maybe a few others, for which the current Filter() implementation
> doesn't seem to be ideal.
You're facing the same vulnerabilities that web developers have been
struggling with for ages. In the beginning they were handled by trying
to filter out "bad" characters or by automatically quoting them. E.g.
PHP's "magic quotes".
The web development experience has shown that this is not the way to go.
Only very strict filters actually work.
It would be handy if Asterisk extension patterns forced people to
consider these things and deprecated the ! and . wildcards. But perhaps
I'm just blaming Asterisk for my own lack of foresight.
I'm usually so paranoid. I've worried lots about what people put in
${CALLERID} and various SIP headers, and then I get 0wned by ${EXTEN}.
Embarassing.
/Benny
More information about the asterisk-dev
mailing list