[asterisk-dev] Dialplan oddities with recent Asterisk ?

Klaus Darilion klaus.mailinglists at pernau.at
Tue Feb 9 15:40:10 CST 2010



Am 09.02.2010 19:00, schrieb Tilghman Lesher:
> On Tuesday 09 February 2010 08:07:07 Jared Smith wrote:
>>> I've noticed that incoming phone numbers in chan_sip.c are only
>>> strdup'ed. Many years ago I wrote in my ISDN4BSD software, that people
>>> that don't filter incoming digits should not program PBX software :-)
>>> Does Asterisk have any filtering of the destination extension by default?
>>
>> I'm not sure of any it might have by default, but you can always do
>> filtering in the dialplan with the FILTER() dialplan function before
>> using ${EXTEN} variable.
>
> I'll second this.  If you need to use the period or exclamation point in your
> dialplan, chances are you're providing expensive services (international)
> already, and you should be taking every measure to ensure that you aren't
> charged incorrectly.  FILTER is an excellent tool for this.

I would prefer if such attempts would not even hit the dialplan.

Just consider this simple scenario - a pattern which international call 
- we do not know how long the number. Thus I have to use '!' or '.'.

exten => _+!,1,.....

of course I can use something like

exten => _+[1-9][0-9][0-9]!,1,.....

but finally I have to put a ! or . into the pattern. So the pattern is 
vulnerable to above attack and as a workaround FILTER can be used.

IMO a solution would be a pattern which matches not every character, but 
e.g. only digits (like regexp [0-9]*) or characters/digits (like regexp 
[0-9a-zA-Z.-]*).

regards
Klaus




More information about the asterisk-dev mailing list