[asterisk-dev] Dialplan oddities with recent Asterisk ?

Olle E. Johansson oej at edvina.net
Wed Feb 10 06:49:47 CST 2010


10 feb 2010 kl. 12.01 skrev Nick Lewis:

>  >  As for potential security risks per dial plan features I think a less aggressive approach might be considered. 
> 
>  I think that the security risk does need to be tackled. I suggest that the ${EXTEN} is always represented in the dialplan in a "dialplan-encoded" format.
Changing the current behaviour will cause a massive amount of bug reports and issues. I don't like that idea. It has to be configurable or be an optional module, like a dialplan function.

/O

>  
> The exact nature of the encoding is not important but I guess that a simple backslash encoding would be suitable for ascii characters that clashed with dialplan punctuation. (I would personally prefer all characters to be backslash encoded except alphanumeric, star and hash so that new punctuation could be added to the dialplan).
>  
> At the interface between the pbx and the channels, the pbx would encode and decode extensions as necessarfy between a raw and dialplan-encoded format. This would prevent any extension content being interpreted as dialplan code
>  
> -- N_L
> 
> _____________________________________________________________________
> This message has been checked for all known viruses by Star Internet delivered through the MessageLabs Virus Control Centre.
> _____________________________________________________________________
> Disclaimer of Liability
> ATL Telecom Ltd shall not be held liable for any improper or incorrect use of the information described and/or contained herein and assumes no responsibility for anyones use of the information. In no event shall ATL Telecom Ltd be liable for any direct, indirect, incidental, special, exemplary, or consequential damages (including, but not limited to, procurement or substitute goods or services; loss of use, data, or profits; or business interruption) however caused and on any theory of liability, whether in contract, strict liability, or tort (including negligence or otherwise) arising in any way out of the use of this system, even if advised of the possibility of such damage.
> 
> Registered Office: ATL Telecom Ltd, Fountain Lane, St. Mellons Cardiff, CF3 0FB
> Registered in Wales Number 4335781
> 
> All goods and services supplied by ATL Telecom Ltd are supplied subject to ATL Telecom Ltd standard terms and conditions, available upon request.
> -- 
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> 
> asterisk-dev mailing list
> To UNSUBSCRIBE or update options visit:
>   http://lists.digium.com/mailman/listinfo/asterisk-dev

---
* Olle E Johansson - oej at edvina.net
* Cell phone +46 70 593 68 51, Office +46 8 96 40 20, Sweden






More information about the asterisk-dev mailing list