[asterisk-dev] Dialplan oddities with recent Asterisk ?
Leif Madsen
leif.madsen at asteriskdocs.org
Thu Feb 11 06:53:10 CST 2010
Benny Amorsen wrote:
> Pavel Troller <patrol at sinus.cz> writes:
>
>> I was looking at the Filter() function and it seems that I would like
>> an inverse implementation - not to pass allowed characters only, but to
>> filter out disallowed ones - for example, I would like to permit a large
>> number of various characters in the dial string, but definitively to filter
>> out '&' and maybe a few others, for which the current Filter() implementation
>> doesn't seem to be ideal.
>
> You're facing the same vulnerabilities that web developers have been
> struggling with for ages. In the beginning they were handled by trying
> to filter out "bad" characters or by automatically quoting them. E.g.
> PHP's "magic quotes".
>
> The web development experience has shown that this is not the way to go.
> Only very strict filters actually work.
I agree. The first thing I thought when reading the other post was, "But what
about when someone sends you a character you weren't expecting?".
FILTER() is likely designed the right way, in that you state what you will
accept, and not what you won't accept.
Leif.
More information about the asterisk-dev
mailing list